Tenable new feature for enhanced protection

Network security company Tenable Inc. today announced a number of new features, including new cloud scanning capabilities and measurement features designed to provide improved cloud security .

Frictionless Assessment offers what Tenable says is a new approach to vulnerability management for modern assets. The service leverages native technologies deployed as part of the cloud asset to assess instances continuously for vulnerabilities. Designed to harness the benefits of cloud-first environments without vulnerability management programs that require period scans or agent-based approaches, the new service allows customers to evaluate cloud assets without interruption, quickly detecting new vulnerabilities as their environment changes without intervention.

Initially launching on Amazon Web Services Inc., Frictionless Assessment uses AWS Systems Manager Run Command to maintain, update and reassess cloud instances without interruption, achieving and maintaining what Tenable says is accurate visibility into cybersecurity risks across all cloud-based assets.

Tenable Lumin, Tenable’s cyber exposure visualization, analytics and measurement solution, is also getting a number of upgrades designed to allow organizations to predict which vulnerabilities pose the greatest risk to their business. Using machine learning, the enhanced version of Lumin allows security teams to also measure how quickly and efficiently they remediate vulnerabilities.

The updated version of Tenable Lumin has several parts, starting with remediation maturity to help security teams not only measure their speed and efficiency of remediating vulnerabilities but also compare them to external peers and Tenable best practices. Remediation maturity is available to existing Lumin customers now.

A new mitigations function is designed to evaluate a security team’s response to critical risks when timely remediation isn’t possible. It provides an inventory of endpoint security controls for a more complete and accurate picture of an organization’s cyber exposure. That capability will be available in the fourth quarter.

Predictive scoring, also available in the fourth quarter, is said to deliver more accurate and comprehensive insight into an organization’s overall cyber exposure. The method infers the exposure scores of groups of assets before they have been assessed in detail.

Team TNT stolen AWS Credentials

The frequent targeting of cloud and container environments are indicative of a vast attack surface for cybercriminals. Recently, Cado Security researchers have found a first-ever crypto-mining worm dubbed ‘TeamTNT’ containing Amazon Web Services (AWS) specific functionality.

Active since April 2020, TeamTNT has updated its mode of operation in mid-August.

TeamTNT has added a new data-stealing feature that enables the attackers to scan and steal AWS credentials. It is the first botnet malware that is known to scan and steal AWS credentials.

The worm also steals local credentials and scans the internet for misconfigured Docker systems.

Attackers have compromised many Docker and Kubernetes systems along with Kubernetes clusters and Jenkins build servers.

Post exploitation

Besides acting as a botnet and a worm, TeamTNT uses the XMRig miner to mine Monero cryptocurrency.

The worm also deploys several openly available malware and offensive security tools including punk.py, Diamorphine Rootkit, Tsunami IRC backdoor, and a log cleaning tool.

Two different Monero wallets associated with these latest attacks have earned TeamTNT about 3 XMR (approx $300).

The similitude

TeamTNT’s malware suite is an amalgamation of another worm named Kinsing as malware authors copy and paste their competitors’ code. The Kinsing worm was designed to bypass Alibaba Cloud security tools. In early April 2020, a bitcoin-mining campaign used the Kinsing malware to scan for misconfigured Docker APIs, then spin up Docker images and install itself.

Bottom line

Research team has flagged the latest set of campaigns as a unique development. It is likely that other worms will start to copy the ability to steal AWS credentials. To thwart such attacks, organizations should consider reviewing their security configurations to protect AWS deployments from getting hijacked.

Moreover, monitoring network traffic and using firewall rules to limit any access to Docker APIs is also recommended .

SkyArk.. New AWS Stealth watch for shadow IT

A new open-source tool designed to identify Shadow Admin accounts in Microsoft Corp. Azure and Amazon Web Services Inc. cloud environments.

Called CyberArk SkyArk, the tool is designed to help organizations combat Shadow Admins by targeting and securing the most privileged entities in both Azure and AWS environments.

Shadow Admin accounts have sensitive privileges on a network and are typically overlooked because they are not members of a privileged Active Direct group. Instead, Shadow Admin accounts are typically granted their privileges through the direct assignment of permissions.

They’re highly desired by attackers because they provide administrative privileges necessary to advance an attack while having a lower profile than well-known admin group members.

“While organizations may be familiar with their list of straightforward admin accounts, Shadow Admins are much more difficult to discover due to the thousands of permissions that exist in standard cloud environments (i.e. AWS and Azure each have more than 5,000 different permissions),” CyberArk explained. “As a result, there are many cases where Shadow Admins might be created. Despite the appearance of limited permissions, a Shadow Admin with just a single permission has the ability to gain the equivalent power of a full admin.”

SkyArk offers two main scanning modules, AzureStealth and AWStealth, to scan Azure and AWS environments. The tool only requires read-only permissions because it simply queries cloud entities and their assigned permissions before performing an analysis and providing results.

The results can be used by both internal red and blue teams. For red teams, which are used to break into systems to test security, the results can be used to target discovered Shadow Admins through password matching, spear-phishing or a targeted attack on the endpoints of the employee discovered to have admin or shadow rights. For blue teams, which defend against attacks, the results can be used to eliminate unintended admins and remove unnecessary permissions from Shadow Admins.