Tag: GROUP | Page 8

Group permission misconfiguration exposes Google Kubernetes Engine clusters

January 25, 2024/in Internet Security

GKE also supports anonymous access, and requests made to the Kubernetes API without presenting a client certificate or an authorized bearer token will automatically be executed as the “system:anonymous” user and the “system:unauthenticated” group role. However, if a token or certificate is presented, the API request will be identified as the corresponding identity with its defined roles but also with the roles assigned to the system:authenticated group. By default, this group provides access to some basic discovery URLs that don’t expose sensitive information, but admins could expand the group’s permissions without realizing the implications. “Administrators might think that binding system:authenticated to a new role, to ease their managerial burden of tens or hundreds of users, is completely safe,” the researchers said. “Although this definitely makes sense at first glance, this could actually turn out to be a nightmare scenario.”

To execute authenticated requests to a GKE cluster, all a user needs to do is use Google’s OAuth 2.0 Playground and authorize their account for the Kubernetes Engine API v1. By completing the playgroup authorization process, any user with a Google account can obtain an authorization code that can be exchanged for an access token on the same page. This access token can then be used to send requests to any GKE cluster and successfully identify as system:authenticated, which includes the system:basicuser role.

The system:basicuser allows users to list all the permissions they currently have, including those inherited from the system:authenticated group by querying the SelfSubjectRulesReview object. This provides a simple way for attackers to investigate whether a cluster’s admin has overpermissioned system:authenticated.

The Orca researchers demonstrated the impact with an example where the admin decided to associate any authenticated user with the ability to read all resources across all apiGroups in the cluster. This is “something that can be somewhat useful when there is a real governance around the users which can authenticate to the cluster, but not on GKE,” they said. “Our attacker can now, in the current…

Source…

Microsoft hacked: Tech company reveals hack by Russia-backed group, Midnight Blizzard, or Nobelium

January 24, 2024/in Internet Security

CHICAGO — Microsoft revealed Friday that some of its corporate email accounts were hacked by a Russian-backed group.

The tech company said in a blog post that its security team detected the attack on Jan. 12 and quickly identified the group responsible: Midnight Blizzard, “the Russian state-sponsored actor also known as Nobelium.”

In late November, the group allegedly used a “password spray attack,” where a user uses a single common password against multiple accounts on the same application, to “compromise a legacy non-production test tenant account and gain a foothold,” according to Microsoft.

The group then “used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” the company said.

The hackers allegedly were targeting email accounts for information related to Midnight Blizzard, Microsoft said.

Microsoft was able to remove the hacker’s access to the email accounts on Jan. 13, according to a company filing with the SEC.

“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required,” the company said.

The company said it is in the process of informing its affected users.

The investigation is ongoing.

Source…

Russian Group Delivering Malware Via Using PDFS: Google

January 23, 2024/in Computer Security

SAN FRANCISCO, CA (IANS) – Google researchers have observed that the notorious Russian threat group — COLDRIVER, focused on credential phishing activities, has now gone beyond it by delivering “malware via campaigns using PDFs as lure documents”.

Also known as ‘UNC4057’, ‘Star Blizzard’ and ‘Callisto’ has focused on credential phishing against Ukraine, NATO countries, academic institutions, and NGOs.

To gain the trust of targets, the group often utilizes impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target.

According to new research by Google’s Threat Analysis Group (TAG), Coldriver has increased its activity in recent months and is now using new tactics that can cause more disruption to its victims.

“As far back as November 2022, TAG has observed Coldriver sending targets benign PDF documents from impersonation accounts,” Google said in a blogpost on January 18.

The threat group presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted, the researchers explained.

If the target responds that they cannot read the encrypted document, the Coldriver impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use.

“This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving Coldriver access to the victim’s machine,” the researchers said.

In 2015 and 2016, TAG observed Coldriver using the Scout implant that was leaked during the Hacking Team incident of July 2015.

SPICA represents the first custom malware that the TAG researchers attribute to being developed and used by Coldriver

The researchers have observed SPICA being used as early as September 2023, but believe that Coldriver’s use of the backdoor goes back to at least November 2022.

Source…