What's new this week in the news for MSPs? New database tools for developers launched by Google; newly found vulnerability in Azure Functions lets attacker escape to Docker host; TrickBot malware using Masscan to map their target’s network; and new Pro-Ocean malware spreading through Oracle, Redis, and Apache servers.
New Database Tools for Developers Launched by Google
Two new tools from Google are out this week; one is a cloud service, while the other is an open-source software library. Google gave the cloud service the name Cloud SQL Insights, and the open-source library is Sqlcommenter.
One of the most frequent causes of application slowdowns is the database. Due to a lack of database administrators at most firms, they’re also the most challenging to fix.
One method in use to alleviate the load on database admins is to provide application developers with tools to analyze performance problems independently. Google envisions this use for its recently launched Sqlcommenter and Cloud SQL Insights tools.
Cloud SQL visualizes how separate elements of a database interact with the database, and sees which queries take too long. For example, it can show if an e-commerce app’s catalog experiences delays in retrieving product information. The information is displayed in a dashboard that permits developers to notice and quickly repair issues that cause permanent drops.
“Application developers need to do very little application code change to enable Sqlcommenter for their applications,” Google Cloud software engineer Bala Chandrasekeran says in a blog post. “Observability information from Sqlcommenter can be used by application developers directly using slow query logs, or it can be integrated into other products or tools, such as Cloud SQL Insights, to provide application-centric monitoring.”
Newly Found Vulnerability in Azure Functions Lets Attacker Escape to Docker Host
A recently uncovered vulnerability in Microsoft Azure Functions may permit an attacker to escape the Azure Functions Docker container to the Docker host and escalate privileges.
Cybersecurity researcher Paul Litvak from Intezer Labs Ltd says HTTP requests can trigger the vulnerability. These requests are intended to run for only a few minutes to handle the event, which should not usually be an issue.
To display the vulnerability, Litvak duplicated how an attacker executing Azure Functions could escalate privileges to escape the Docker host. Escaping Docker, in this case, gave Litvak root access.
Before going public with the details, Litvak shared the vulnerability with Microsoft, who determined that the vulnerability has no security impact on Functions users. The reason for this is that a Hyper-V boundary protects the Docker host itself.
Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:
- a ready-to-print PDF file
- an Excel file to help create a customizable assessment resource
TrickBot Malware Using Masscan to Map Their Target’s Network
A network surveillance module designed to survey local networks after infecting a victim's computer has been added to the TrickBot malware in a recent upgrade. The TrickBot group has given it the name masrv, and it uses the open-source tool Masscan.
Masscan is a mass port scanner that comes with an IP/TCP stack built in. It can scan large portions of the Internet in only a few minutes. TrickBot employs the network scanner module to map the victims' systems and then sends home the data on any devices with open ports.
The type of system the malware has infected determines whether the module launches a 64-bit or 32-bit architecture Windows DLL file.
The data on the network devices with open ports is exfiltrated to the malware’s server for its operators to determine if the machines it found should be added to the botnet.
Microsoft and other security firms disrupted the TrickBot botnet after a coordinated operation. It led to the takedown of the TrickBot C2 servers in October 2020.
Although the operation was successful in disabling roughly 94% of TrickBot’s critical infrastructure, this resilient botnet bounced back in January 2021 with a new series of lures and phishing emails.
New Pro-Ocean Malware Spreading Through Oracle, Redis, and Apache Servers
A new piece of crypto-jacking malware called Pro-Ocean targets vulnerable instances of Apache ActiveMQ, Redis, and Oracle WebLogic. The new malware is an upgrade from the previous threat used by the group. It now includes self-spreading capabilities, indiscriminately launching exploits at discovered machines.
The Rocke crypto-jacking hackers’ habit of attacking cloud applications to leverage their known vulnerabilities to take control of unpatched Apache ActiveMQ (CVE-2016-3088) servers and Oracle WebLogic (CVE-2017-10271) servers hasn’t changed.
Researchers at Palo Alto Networks say the malware now includes “new and improved rootkit and worm capabilities,” allowing it to hide its malicious activity and spread to unpatched network software.
To stay under the radar, Pro-Ocean uses a Linux native feature. It forces binaries to prioritize the loading of specific libraries.
They have also moved from manually exploiting victims to a simple automated process. A Python script takes the infected machine’s public IP address and then tries to infect all devices in the same 16-bit subnet. There is no selection in this process. The attackers simply throw public exploits indiscriminately at the discovered hosts, hoping that one of them sticks.
Rocke’s crypto-mining operations have evolved to include self-spreading features and better hiding tactics, despite not rising to other malware’s more sophisticated levels.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.