September 03, 2023
Table Of Contents
Windows Container Isolation Vulnerability Exposes Security Risks
Cybersecurity researchers at Deep Instinct have identified a potential security loophole in Windows container isolation. Hackers can exploit this vulnerability to bypass organizational security defenses. They leverage the Windows container isolation framework to evade security mechanisms. Containers package applications with their runtime environment for resource efficiency and security. The vulnerability revolves around job objects, which group processes for unified management, controlling attributes like CPU, I/O, memory, and network usage. Nested Jobs assist in managing multi-processed applications. Silos extend jobs, and containers use ‘Server Silo’ for process grouping and resource redirection. The Windows Kernel identifies silo-assigned processes using APIs like PsIsCurrentThreadInServerSilo and PsIsProcessInSilo.Reparse points store user data parsed by file system mini-filter drivers with unique identifying tags. Containers use dynamic images linked to originals through reparse points.Mini-filter drivers simplify I/O filtering and are managed by Microsoft’s filter manager. They operate with the “Flt API.“The wcifs mini-filter driver separates Windows containers from the host file system, managing ghost file redirection via reparse points. Main reparse tags associated include IO_REPARSE_TAG_WCI_1 and IO_REPARSE_TAG_WCI_LINK_1. Mini-filters attach indirectly to file systems via altitude values, and hackers can perform file operations without triggering callbacks.
Windows container isolation framework in Windows Server environments
· Monitor DeviceIoControl calls and FSCTL_SET_REPARSE_POINT with IO_REPARSE_TAG_WCI_1 tag.
North Korea’s Hacker Group Deploys Malicious Version of Python Package in PyPI Repository
The malicious actors duplicated the’requests’ package, copying its description and files without making any alterations, and employed evasion techniques including typosquatting. Only a few lines of code were added to the malicious packages in the “init.py” file to launch a thread that executed a function from the “cookies.py” file. Malicious routines were added to the cookies.py file to collect machine data and submit it through POST to a C2 server URL. It then sends a GET HTTP request to a different C2 server URL to retrieve a token. A double-encrypted Python module with execution parameters is sent to the infected host, which decodes it and downloads the subsequent malware stage from a given URL. Similar to the previous VMConnect campaign, the C2 server held back more commands while it waited for appropriate targets, making campaign evaluation difficult. ReversingLabs looked into VMConnect with the intention of connecting it to other malware campaigns and discovered hints that pointed to Lazarus Group, a North Korean APT group. Further research revealed that the py_QRcode package was never listed on PyPI, despite being noted in a JPCERT report from July 2023 (https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html). This begs the question of how, despite being associated with this package, the malware managed to infect users. Findings from JPCERT/CC and VMConnect that have code in common link both to the Lazarus Group, indicating North Korean official sponsorship.
developer environment with a variety of platforms.
· Software developers are advised by the NJCCIC to evaluate their code for any signs of corrupted packages.
Okta Security Alert: Vigilance Against Social Engineering Attacks
In a recent security advisory, Okta, a leading identity and access management provider, warns users about the rising threat of social engineering attacks. This article delves into the details of Okta’s alert and provides essential recommendations to safeguard your organization’s digital assets.
· Strengthen your Okta accounts and applications by enforcing MFA. This adds an extra layer of security, making it significantly more challenging for attackers to gain unauthorized access.