Docker Hub Hack Compromises Sensitive Data from 190,000 Accounts

Docker Hub Hack Compromises Sensitive Data from 190,000 Accounts

Is Docker Hub hack a harbinger of increasing cyber attacks on cloud containers?

According to an official email sent to users, hackers gained access to Docker Hub, the official repository for Docker container images, “for a brief period.” However, during that “brief period,” approximately 190,000 user accounts were compromised, containing data such as usernames, hashed passwords, and Github and Bitbucket tokens for Docker autobuilds. At the time of this writing, Docker is still investigating the hack, so it is unclear how the hackers got into Docker Hub or just how “brief” their time inside the system was.

Whatever Docker’s investigation ultimately uncovers, the Docker Hub hack should be deeply concerning to everyone. As enterprises increasingly ditch on-prem infrastructure and virtual machines in favor of clouds and containers, cybercriminals are following – but container security hasn’t kept up.

Enterprises are implementing clouds, and containers, faster than they can secure them

At this juncture, no one disputes that the future is in cloud computing; even enterprises that are required by compliance mandates to run some workloads on-prem are implementing hybrid cloud infrastructures so that they can take advantage of some of the benefits of the cloud on-prem. The RightScale 2019 State of the Cloud Report found that 94% of enterprises use cloud computing, with 58% running hybrid clouds (up from only 51% the year before), and 85% running multi-cloud environments.

The popular DevOps philosophy, which (among other things) encourages enterprises to automate as many IT processes as possible, has fueled the race to the cloud. It’s also prompted organizations to shift from virtual machines to more lightweight, portable, and flexible containers. Docker containers are by far the most popular; the RightScale survey found that Docker adoption increased from 49% in 2018 to 57% in 2019. Kubernetes, a container orchestration system often used alongside Docker, is also seeing strong growth, nearly doubling in popularity between 2018 and 2019.

Organizations’ appetite for hybrid clouds, multi-clouds, and containers is so ravenous that Google centered its recent Next ’19 conference around the launch of Google Anthos, a hybrid/multi-cloud management platform built atop Google Kubernetes Engine.

Unfortunately, the Docker Hub hack may end up being the fly in the cloud container soup.

Cloud container security lagging behind implementation

While organizations certainly reap a world of benefits by migrating to the cloud and using containers instead of VM’s, cloud security is quite different from the on-prem security many enterprise personnel are accustomed to. Because of all their moving parts, hybrid and multi-cloud environments are notoriously difficult to secure. Respondents to the RightScale survey reported that their organizations are implementing cloud strategies faster than they can keep up.

Cybersecurity professionals are also fretting about container security. Sixty percent of respondents to a Tripwire survey reported that their organizations experienced at least one container security incident in the past year, and a whopping 94% are concerned about container security in their organizations.

Docker Hub hack could have far-reaching implications

Even though the Docker Hub hack appears to have impacted only about 5% of the company’s customer base, the potential implications are far-reaching. Many very large companies, including software development companies and other IT service providers, use Docker containers. The stolen Github and Bitbucket tokens can be used to access those companies’ private code repositories and inject malware into critical software auto-built by Docker, setting the stage for multiple hacks of the original target company and possibly their customers.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Hackers Can Use DICOM Bug to Hide Malware in Medical Images

Hackers Can Use DICOM Bug to Hide Malware in Medical Images

Hackers Can Use DICOM Bug to Hide Malware in Medical Images

 DICOM bug enables hackers to insert fully functioning executable code into medical images

A newly discovered design flaw in DICOM, a three-decade-old medical imaging standard, could be used to deliver malware inside what appears to be an innocuous image file, a researcher from Cylera has discovered. Because the malware would not alter the protected health information (PHI) contained in the image file, it would bypass automated malware detection systems.

Hackers Can Use DICOM Bug to Hide Malware in Medical Images

What is DICOM?

Originally developed by the National Electrical Manufacturers Association (NEMA) and the American College of Radiology (ACR), DICOM is an international standard protocol for the management and transmission of medical images and related data, such as MRIs and CT scans. It was created to enable healthcare providers to store and easily share medical images and related patient data digitally, eliminating both hardware incompatibility issues and the need for physical films.

Today, DICOM has become the de facto standard for CT and MRI images throughout the healthcare industry. Most medical imaging equipment supports DICOM standards, along with specialized workstations that analyze scan results, and phones and tablets that can be used to view diagnostic information.

The DICOM bug

The DICOM bug is found in the Preamble, a 128-byte section at the beginning of a file that facilitates access to the images and metadata within a DICOM image. The Preamble is used to enable compatibility with image viewers that do not support DICOM but do support common web image formats, such as JPG or TIFF.

It’s important to note that this is not a design flaw per se but an inherent feature of the DICOM file format, meant to facilitate compatibility. By modifying the Preamble, third parties can “trick” these image viewers into thinking a DICOM file is actually one of their supported formats, so that a healthcare provider could view an MRI file using their phone or tablet’s image viewer. Problem is, there are no structural requirements for the data that can be inserted into a DICOM file’s Preamble; any sequence, so long as it is 128 or fewer bytes, can be used while still maintaining compliance with the DICOM standard.

This allows hackers to do two things:

  1. Insert headers that make the DICOM image appear to be an executable, or some other file format.
  2. Write an executable file that is 128 bytes or less and hide it within a DICOM preamble; therefore, instead of having a DICOM file “pretend” to be another image format, an executable “pretends” to be a DICOM file.

In either case, the original PHI contained in the image’s metadata is preserved, and a hidden executable will not give itself away with an “.exe” extension. If an unsuspecting provider were to be sent an executable file disguised as a DICOM, they would see the correct file extension, and upon opening it, the correct metadata. They would have no reason at all to suspect that anything was wrong.

DICOM bug takes advantage of HIPAA regulations

The scenario gets even worse when considering that in healthcare settings, most anti-virus/anti-malware solutions are configured to ignore files that contain PHI – because of HIPAA regulations. Even if the malware were discovered, security response teams would face a quandary, again because of HIPAA. The malware and the file’s PHI would be welded together. The file couldn’t be knowingly deleted because it contains PHI. If it is accidentally deleted, the PHI could be destroyed.

This makes the DICOM bug, which the researcher who discovered it has dubbed PE/DICOM, “the first vulnerability whose technical potency is derived from a regulatory environment in addition to a software design flaw.”

DICOM bug discovered amidst increasingly sophisticated attacks on healthcare IT systems

Unfortunately, it’s not possible for any single vendor to issue a patch for this, nor are there any remedial actions that can be applied to all systems that support DICOM. The only way to fix the DICOM bug will be for the standard to be rewritten to impose standards on the content of the Preamble. Doing so while maintaining the standard’s purpose – to facilitate compatibility – is going to be a challenge, to say the least.

The DICOM bug has emerged amidst increasingly sophisticated and destructive attacks on healthcare IT systems. While it is the first vulnerability that takes advantage not just of a technical design flaw, but the regulatory environment governing an industry, it probably won’t be the last. This is why it’s crucial for healthcare organizations to practice proactive cybersecurity and actively defend themselves against not just today’s attacks but also tomorrow’s.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Arizona Beverages Ransomware Attack Halts Sales for Days

Poor cybersecurity practices complicated recovery from the Arizona Beverages ransomware attack.

Poor cybersecurity practices complicated recovery from the Arizona Beverages ransomware attack.

What appears to have been a targeted ransomware attack knocked over 200 networked computers and servers offline at Arizona Beverages, one of the largest beverage suppliers in the U.S., TechCrunch reports. The attack, which the company was still struggling to recover from two weeks later, halted sales operations for days, allegedly costing the company millions of dollars.

Poor cybersecurity practices complicated recovery from the Arizona Beverages ransomware attack.

Arizona Beverages ransomware attack yet another lesson in what not to do

The ransomware that hit Arizona Beverages is believed to be iEncrypt, a form of ransomware that is used in targeted attacks. A few weeks before the iEncrypt attack hit, the FBI contacted Arizona Beverages to warn them that they had been compromised by another form of malware called Dridex, which leverages Microsoft Office macros and is usually delivered through phishing emailsphishing emails. The Dridex infection may very well have opened the door to the iEncrypt attack, possibly by stealing login credentials.

An anonymous source told TechCrunch that the Dridex infection had been ongoing for “at least a couple of months” at the time the FBI contacted Arizona Beverages. The same source remarked to TechCrunch that they were surprised something like this hadn’t happened sooner, given the company’s poor cybersecurity posture. This included servers that relied on on legacy versions of Windows that are so old, they’re no longer supported. These installations hadn’t been updated with security patches for “years.”

In addition to servers and computers, the iEncrypt ransomware locked down Arizona Beverages’ email server, leaving the company unable to process customer orders. The fun didn’t stop there. When internal IT staff attempted to restore the company’s network from backups, they discovered that they couldn’t – because the backups hadn’t been configured properly. Staff members scrambled for days to get the backups to work before, TechCrunch’s source said, “they started throwing money at the problem” and brought in a third-party vendor.

In addition to millions of dollars in lost sales, Arizona Beverages has allegedly spent “hundreds of thousands” more on new hardware, new software, paying the vendor to clean up the problem, and rebuilding its entire network. As of the publication of the TechCrunch article, the company was reportedly 60% restored.

Targeted ransomware attacks on the rise

Although there has been a drop in the overall number of ransomware attacks over the past year, attacks are becoming more sophisticated and targeted. Meanwhile, the bar for launching a complex attack has been significantly lowered by the proliferation of ransomware-as-a-service, which allows just about anyone to launch an attack regardless of technical ability.

The iEncrypt malware that hit Arizona Beverages uses the victimized company’s name as a file extension and also mentions it in the ransom note. It’s a very new strain of ransomware, discovered in November 2018, and its behavior is unpredictable. One thing is certain; once an infection hits, it is especially difficult to remove because the malware impersonates legitimate files.

What would happen if sales at your company halted for a week?

This is the question every company needs to be asking itself right now. Arizona Beverages lost millions of dollars because it literally couldn’t process customer orders for several days; this was on top of cleanup costs. As a very large company, Arizona Beverages could take this sort of financial hit. Many small companies aren’t so fortunate. Around the same time the Arizona Beverages ransomware attack hit the news, a small Michigan medical practice permanently closed after a ransomware attack destroyed their electronic health records system.

The Arizona Beverages ransomware attack may not have happened in the first place if the company had not been relying on old, unpatched, unsupported versions of Windows. When it did occur, the company should have been able to restore from a backup. Not having properly configured network backups is inexcusable. In addition to being able to restore systems after a cyberattack, backups allow companies to recover from events such as vandalism and natural disasters.

Arizona Beverages’ poor handling of the basics beg the question of what else was wrong with their internal cybersecurity. Was the Dridex infection properly mitigated? Why didn’t the company find out about it until they were contacted by the FBI? Whatever happened, it would have been far less expensive and disruptive for Arizona Beverages to have implemented proactive cybersecurity measures instead of throwing money at a problem after it happened.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.