Tag Archive for: Misconfigured

Misconfigured Windows Servers contributed to DDoS attacks

/in


What can two businesses on two different continents have in common?  Incorrectly configured Microsoft servers that have been spewing gigabytes per second of junk packets causing distributed denial of service attacks (DDOS) on unsuspecting services and businesses.  These attacks can certainly disrupt a business or in some cases take it down without proper protection, which oftentimes isn’t affordable for a small business.

According to a recently published report by Black Lotus Labs, more than 12,000 servers running  Microsoft Domain Controllers with Active Directory were often used to magnify DDOS attacks.  For years it’s been a constant battle of attacker and defender, often times all the attacker had to do was gain control of an ever-growing list of connected devices in a botnet and use them to attack.  One of the more common methods of attacks is called reflection.  Reflection is when instead of flooding one device with data packets attackers send the attack to third-party servers.  Using third parties with misconfigured servers and spoofing the packets gives the appearance that the attack is coming from the target.  These third-party servers unknowingly end up reflecting the attack at the target often ten times larger than it started.

A growing source of attacks over the last year has been the  Connectionless Lightweight Directory Access Protocol (CLDAP) which is a version of the standard Lightweight Directory Access Protocol (LDAP). CLDAP uses User Datagram Protocol packets to authenticate users and discover services when signing into Active Directory.   Chad Davis, a researcher at Black Lotus had this to say in a recent email.

“When these domain controllers are not exposed to the open Internet (which is true for the vast majority of the deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to reflection.”

Attackers have been using the protocol since 2007 to magnify attacks.  When researchers first discovered the misconfiguration in CLDAP servers the number was in the tens of thousands.  Once the issue was brought to the administrator’s attention the number dropped significantly, though it has risen sharply again…

Source…

Over 900K Kubernetes clusters are misconfigured! Is yours a target? • Graham Cluley

/in


Over 900K Kubernetes clusters are misconfigured! Is your cluster a target?

Many thanks to the great team at Teleport, who have sponsored my writing for the past week.

Kubernetes is an amazing platform for managing containers at scale. However, a recent study found that over 900,000 Kubernetes clusters are vulnerable to attack because they are misconfigured! This means that your Kubernetes cluster could be a target for malicious hackers if it is not properly secured. In this article, we will discuss how to secure your Kubernetes cluster and protect it from attack.

The scan from cyble found over 900K Kubernetes clusters exposed to the internet, with over 800 returning an `200 OK` Response code when queried. This means that an anonymous user can potentially get full access to the pods and the Kubernetes Dashboard.

Having a public Kubernetes API server endpoint isn’t necessarily a bad thing. With the correct authentication, it’s OK to keep it public. But as Kubernetes vulnerabilities are found, it’s a good idea to limit the API server endpoint access to only those that need it.

For people self hosts, you can limit IP addresses using software-based firewalls and if using a hosted Kubernetes service, many offer the ability to make the API either Public, Limited per CIDR or Private. Private only lets access via a VPC and completely disables public internet access to the API Server. If using AWS, EKS information on securing the public endpoint is available here.

Providing secure access at scale?
One problem with the above proposal is it’s either limited to static CIDR blocks (what happens if I work from home or go to the office?) — or I need a method of using a bastion or jump host to get into the VPC. This is where an OSS tool such as Teleport can provide the solution. Teleport is an identity-based access plane that can be deployed in a public subnet to provide a secure gateway to one or many Kubernetes clusters.

Decommission unused auth methods and unused tokens
Perform periodic review of unused auth methods and auth tokens and remove or disable them. Administrators often use certain tools to help ease setup with the Kubernetes cluster and later switch to other methods for managing clusters. It is important in this case that…

Source…

Misconfigured Firebase Databases Exposing Data in Mobile Apps

/in


The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Source…

Misconfigured database exposes 800-million records. Crackonosh installs XMrig. Hack-enabled traders & a FIN7 operator in court.

/in



Misconfigured database exposes 800-million records. Crackonosh installs XMrig. Judgments against hack-enabled traders and a FIN7 operator.

Source…