Exposed docker APIs under attack in 'Commando Cat' cryptojacking campaign

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs .

This week: The Commando Cat cryptojacking campaign is targeting exposed docker APIs. Also: CISO accountability in the new era of Software Supply Chain Security.?

This Week’s Top Story

Exposed docker APIs under attack in 'Commando Cat' cryptojacking campaign

Just yesterday, Cado Security researchers Nate Bill and Matt Muir discovered a sophisticated cryptojacking campaign known as Commando Cat, which has targeted docker API endpoints exposed on the internet. Cryptojacking refers to a cybercriminal exploiting a computer to mine cryptocurrencies. However, in this specific campaign, researchers found that the malware delivered via the endpoints also serves other threatening functions, including the insertion of a stealthy backdoor and credential stealing.?

This malicious campaign has been given its name because the first attack step is to deploy a benign container that’s generated using the Commando project, an open-source GitHub project that generates docker images on-demand for developers. According to the researchers’ report, “The attacker escapes this container and runs multiple payloads on the docker host,” delivering all of the malicious actions to the victim. The threat actor is able to escape the container using the chroot command, and then runs a series of checks on the victim’s operating system to find a specific list of services. Researchers however are unsure why the threat actors use this series of checks in the attack string of the campaign.?

Once the threat actor is able to access docker, using it as the initial point of access, the threat actor then delivers several independent payloads to the victim, allowing persistent access for the threat actor, the creation of a backdoor, the exfiltration of any cloud service provider (CSP) credentials, and the launching of the cryptocurrency miner.?

The researchers said they are unsure of who the threat actor is behind Commando Cat. However, there is overlap in Commando Cat’s shell scripts and the command-and-control (C2) IP address with those used by TeamTNT, another cryptojacking group. (The Hacker News)

This Week’s Headlines

10 reasons why securing software supply chains needs to start with containers

Containers and Kubernetes are among the least protected areas of software supply chains. A new Cloud Native Computing Foundation (CNCF) report discovered that 28% of organizations have more than 90% of their workloads running in insecure Kubernetes configurations. The majority of these workloads are running with root access, increasing the probability of system compromises and sensitive data being exposed. Organizations are struggling to get container security under control, with attackers capitalizing on the disconnects by exploiting growing vulnerabilities in container images, runtimes, API interfaces and container registries. (Venture Beat)

The SEC won't let CISOs be: Understanding new SaaS cybersecurity rules

Applicable public companies, known as "registrants" of the U.S. Securities and Exchange Commission (SEC), are now subject to cyber incident disclosure and cybersecurity readiness requirements for data stored in SaaS (software-as-a-service) systems, along with the third and fourth-party apps connected to them. The new cybersecurity mandates make no distinction between data exposed in a breach that was stored on-premise, in the cloud, or in SaaS environments. The SEC finds SaaS security lacking as well, citing the "substantial rise in the prevalence of cybersecurity incidents" as a key motivating factor for its new approach. (The Hacker News)

Smart vendor security is key to avoiding a data breach in 2024

Software supply chain attacks and other methods targeting organizations through third-parties are becoming more widespread. The majority of companies use third-party tools and software to conduct their daily operations, making them susceptible to security risks. Many companies falsely assume that vendors are secure and that they do not need to be vetted, which is a critical security misstep. This article lists four main action items organizations should take in 2024 to protect themselves against attacks through third-party apps and services. (Forbes)

Zero-day, supply-chain attacks drove data breach high for 2023

The Identity Theft Resource Center (ITRC) released their annual data breach report highlighting a new record number of data breaches in 2023. The report noted that the amount of data compromises jumped by 78% between 2022 and 2023. Malicious open-source software components may have contributed to the rise of zero-day attacks, with threat actors targeting organizations’ use of these components, which are often by accident. While the number of data breaches was up, the ITRC did find a 16% decline in the number of victims affected by these compromises. (CSO Online)

One of two new high-severity bugs in Ivanti exploited in the wild

Ivanti, an American IT software company, reported two new high-severity bugs affecting their Ivanti Connect Secure and Policy Secure products, with one bug being exploited in the wild. The flaw being exploited?(CVE-2024-21893) appears to be targeted, said Ivanti in a Jan. 31 notice to its customers. Ivanti also said that it's not aware that the other bug disclosed this past Wednesday (CVE-2024-21888) has impacted any customers. The cybersecurity firm Mandiant also identified broad exploitation activity both by the original threat actor, UNC5221, as well as various other uncategorized threat groups. (SC Magazine)

Microsoft's latest flaw hits open-source projects

A team of security researchers has uncovered a flaw in Microsoft's code development and testing environment that could affect upwards of 70,000 open-source projects. The flaw was found on the popular testing tool Azure Pipelines, and would allow hackers to inject malicious code into source code and other projects hosted in code testing environments. The recent disclosure underscores the growing importance of both software supply chain security and securing a company’s use of open-source code. (Axios)

Resource Roundup

Webinar | The Cyber CFO: CISO Accountability in the New Era of Software Supply Chain Security

Tuesday, February 6 | 11am-12pm ET

CISOs are facing a never-before-seen level of accountability in the era of software supply chain security. That means they need to act (and be treated by others) more like a CFO. It may seem daunting, but that new responsibility comes with the opportunity to prioritize security within their organizations. [Learn More & Register]

Report | The State of Software Supply Chain Security 2024?

Read the research-backed ReversingLabs report on the latest trends, insights and strategies to better understand and prepare your software supply chain security program for 2024. [Read Now]