Securing Oracle Cloud Infrastructure (OCI)

Introduction

OCI is a cloud computing service provided by Oracle Corporation. It has a plethora of features that allow you to create anything you want on the cloud.

Getting access to your own instance of OCI is simple and free. You can register for a free trial at https://cloud.oracle.com. You will be prompted for a valid credit card, but the card will not be charged at the end of the trial unless you explicitly opt-in.

Every environment has both Pros & Cons, and this implies to the Cloud environment as well. Failure in securing the cloud environment result in external Threat and loss of Data and compromise of infrastructure.

Organizations may lessen the risk of security threats for cloud workloads with the aid of Oracle Cloud Infrastructure (OCI) Security. Oracle enables clients to quickly embrace and secure their cloud infrastructure, data, and apps with the help of easy, prescriptive, and integrated security capabilities built into the OCI platform.

Security Best Practices

Cloud Guard

Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors, and responders.

Restrict Resource Movement:

This policy will not let any user move any resource (block volume, compute, database, networking, object storage, etc.) from the security zone compartment to a standard (non-security zone) compartment. Also, a resource from a standard compartment can’t be moved into a security zone unless it satisfies all security zone policies.

Restrict Resource Association:

 This policy will ensure that all the individual components (or resources) you are putting together to build your secure infrastructure are selected from within the security fortress. The individual resources like block volumes, compute instances, OSS buckets, databases, networking, etc.,

Deny Public Access:

This policy makes sure all resources are private by denying any internet gateways, public buckets, etc. Restricting public access will give peace of mind to many organizations out there.

Require Encryption:

By default, Oracle encrypts all the data at rest with Oracle-managed keys. This policy enforces Customer Managed Keys by utilizing Oracle Cloud Vault service for block volume and object storage.

Ensure Data Durability:

This policy will deny any database resources without any automatic backups configured.

Ensure Data Security:

This policy focuses on the databases by ensuring that a database can’t be created in a standard compartment by sourcing from a clone or backup of a database in the security zone.

Oracle Approved Images:

This policy ensures that all compute and database resources created in the security zone are sourced from Oracle-approved platform images.

Network Sources A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy. After creating the network source, it can be referenced in an IAM policy to control access based on the originating IP address.

OCI Security Audit

The Oracle Cloud Infrastructure Vulnerability Screening Service regularly scans compute instances and container images for potential vulnerabilities to assist strengthen the security posture.

There are several ways to conduct security assessments, including using tools and manually reviewing services in accordance with security requirements.

To manage their environment’s security posture, cloud security providers offer built-in capabilities. The restricted functionality of these tools calls for the use of third-party solutions.  Below listed are a few third-party tools for scanning and securing OCI.

CloudSploit Scans (https://github.com/cloudsploit/scans)

CloudSploit scans is an open-source project designed to allow the detection of security risks in cloud infrastructure accounts. These scripts are designed to return a series of potential misconfigurations and security risks.

It’s a great tool that supports AWS, Azure, GCP, and even the Oracle cloud assessments.

ScoutSuite – formerly Scout2 (https://github.com/nccgroup/ScoutSuite)

Scout Suite is an open-source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.

It supports AWS, Azure, GCP, Oracle, and even Alibaba clouds!

Resources Manual Assessment

https://hub.steampipe.io/mods/turbot/oci_compliance/controls/benchmark.cis_v110

https://www.cisecurity.org/benchmark/oracle_cloud

https://docs.oracle.com/en/solutions/oci-security-checklist/security-controls.html

References

https://akanuri.medium.com/oci-operations-d8ba3fe79be9

https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/security_features.htm

‘Eternity malware’ offers Swiss Army knife of cybercrime tools

A one-stop shop for data and crypto kleptomaniacs

Malware that steals passwords, cookies, and payment card data from web browsers is being sold via a Telegram channel and a Tor website, security researchers have discovered.

Collectively named the ‘Eternity Project’ by its architects, the suite of malware already includes stealers, clippers, worms, miners, and ransomware, with a Distributed Denial of Service (DDoS) bot apparently under development.

A Telegram channel provides information about forthcoming software updates and videos documenting the malware’s functionality to around 500 subscribers.

“Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary,” according to a blog post by Cyble Research Labs.

“The TAs [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies.”

Versatile

A Stealer module, which costs $260 for an annual subscription, also exfiltrates AutoFill data, tokens, history, and bookmarks from Chrome, Chromium, Firefox, Edge, Opera, and more than 20 other browsers.

Other data extracted from infected machine to the threat actor’s Telegram bot are various system credentials, and cryptocurrency via a wide range of crypto-wallets and browser cryptocurrency extensions.

Eternity ransomware, meanwhile, can encrypt documents, photos, and databases on disks, local shares, and USB drives on compromised machines.

The ransomware facility – the most expensive option at $490 – offers offline encryption, an encryption algorithm combining AES and RSA, and the option to set a time limit after which files cannot be decrypted.

The Eternity worm, priced at $390, propagates through infected machines via local files and local network shares; Google Drive, OneDrive, and DropBox; and Discord, Telegram, and Python Interpreter.

For $110, budding cybercrooks can harness clipper malware that supports multiple address formats for BTC, LTC, ZEC, and BCH, while a $90-a-year cryptocurrency mining module offers silent Monero mining and automatic restarts.

Cybercrime increase

Researchers suspect the developer behind the Eternity Project is repurposing code in the ‘DynamicStealer’ GitHub repository, and have identified possible links with the threat actor behind the Jester Stealer malware Cyble documented in February.

Cyble Research Labs said it had recently “observed a significant increase in cybercrime through Telegram channels and cybercrime forums”.

Individuals and organizations are advised to protect themselves by installing reputable security software, enabling automatic software updates if practicable, regularly backing up data and keeping backups offline or on a separate network, and refraining from opening untrusted links and email attachments without verifying their authenticity.

Android 7.0+ Phones Can Now Double as Google Security Keys

Google this week made it easier for Android users to enable strong 2-factor authentication (2FA) when logging into Google’s various services. The company announced that all phones running Android 7.0 and higher can now be used as Security Keys, an additional authentication layer that helps thwart phishing sites and password theft.

As first disclosed by KrebsOnSecurity last summer, Google maintains it has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes.

The most commonly used Security Keys are inexpensive USB-based devices that offer an alternative approach to 2FA, which requires the user to log in to a Web site using something they know (the password) and something they have (e.g. a one-time token, key fob or mobile device).

But Google said starting this week, any mobile phone running Android 7.0+ (Nougat) can serve the same function as a USB-based security key. Once a user has enrolled their Android phone as a Security Key, the user will need to approve logins via a prompt sent to their phone after submitting their username and password at a Google login page.

Many readers have expressed confusion or skepticism about how Security Keys can prevent users from getting hooked by phishing sites or clever man-in-the-middle attacks. This capability was described in far greater visual detail in this video last year by Christiaan Brand, product manager at Google Cloud.

But the short version is that even if a user who has enrolled a Security Key for authentication tries to log in at a site pretending to be Google, the company’s systems simply refuse to request the Security Key if the user isn’t on an official Google site, and the login attempt fails.

“It puts you in this mode….[in] which is there is no other way to log in apart from the Security Key,” Brand said. “No one can trick you into a downgrade attack, no one can trick you into anything different. You need to provide a security key or you don’t get into your account.”

Google says built-in security keys are available on phones running Android 7.0+ (Nougat) with Google Play Services, enabling existing phones to act as users’ primary 2FA method for work (G Suite, Cloud Identity, and GCP) and personal Google accounts to sign in on a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 device with a Chrome browser.

The basic idea behind two-factor authentication (Google calls it “two step verification” or 2SV) is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via an app (like Authy or Google Authenticator), text message, or an automated phone call. But all of these methods are susceptible to interception by various attacks.

For example, thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device.

A Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.

A number of high-profile sites now allow users to enroll their accounts with USB- or Bluetooth-based Security Keys, including Dropbox, Facebook, Github and Twitter. If you decide to use Security Keys with your account, it’s a good idea to register a backup key and keep it in a safe place, so you can still get into your account if you loose your initial key (or phone, in Google’s case).

To be sure you’re using the most robust forms of authentication at sites you entrust with sensitive data, spend a few minutes reviewing the options at twofactorauth.org, which maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).

Please bear in mind that if the only 2FA options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.

Google says Android 7.0+ phones also can be used as the Security Key for people who have adopted the company’s super-paranoid Advanced Protection option. This is a far more stringent authentication process for Google properties designed specifically for users who are most likely to be targeted by sophisticated attacks, such as journalists, activists, business leaders and political campaigns.

HP plugs critical RCE flaws in InkJet printers

HP has plugged two critical vulnerabilities (CVE-2018-5924, CVE-2018-5925) affecting many of its InkJet printers and is urging users to implement the provided firmware updates as soon as possible.

HP InkJet printer vulnerabilities

The vulnerabilities, discovered and reported by a still unnamed third-party researcher, can be triggered via a maliciously crafted file sent to an affected device. Such a file can cause a stack or static buffer overflow, which could allow remote code execution.

The list of affected devices is long and encompasses the Pagewide Pro, DesignJet, OfficeJet, DeskJet and Envy product lines.

Updates can be downloaded and installed directly from the printer or from the HP website (instructions on how to do it can be found here).

HP’s print security bug bounty program

The company did not mention whether the vulnerabilities it plugged were flagged as part of the newly revealed bug bounty program it launched with Bugcrowd in May, but it’s likely that they were.

For the moment, the program is still private.

According to CSO Online, 34 researchers were invited to participate in it. They have been told to limit their efforts to endpoint devices (all HP enterprise printers) and to concentrate on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws.

Vulnerability reporting is to be done through Bugcrowd, which will verify bugs and reward researchers based on the severity of the flaw and awards up to $10,000.

“Reporting a vulnerability previously discovered by HP will be assessed, and a reward may be offered to researchers as a good faith payment,” HP noted.

Shivaun Albright, HP’s Chief Technologist of Print Security, said that the company is already keeping security in mind while developing printers, but they want to see whether they have missed anything.

Citing Bugcrowd’s most recent State of Bug Bounty Report, HP pointed out that the top emerging attackers are focused on endpoint devices, and the total print vulnerabilities across the industry have increased 21 percent during the past year.

Virus-free. www.avg.com

Hackers Delivering Emotet Malware Via Microsoft Office Documents

Emotet Malware

A new malware campaign that delivers Emotet Malware Via Microsoft Office documents attachments with “Greeting Card” as the document name.

Attackers targeted the USA’s Independence Day to trick users into downloading the malicious document and to install the malware.The Banking Trojan EMOTET was identified in 2014, it has the capabilities of stealing personal information such as username and Passwords.

Emotet Malware Campaign

The new malware campaign was spotted by Zscaler’s research team and it is active between July 2nd to July 4th, “We saw over two dozen unique payloads hitting our Cloud Sandbox in the 48-hour span.” said Zscaler.

The document contains a tricky social-engineered message that asks users to enable content that allows the malicious macro to run in the background. The Macro obfuscated to avoid detection’s and it triggers wscript.exe to run the command.

Emotet Malware

Wscript downloads the payload through PowerShell script, finally, the De-obfuscated PowerShell command parameters download the Emotet payload and drops in the temp directory.

Emotet is a widely distributed malware it is commonly distributed via malicious spam campaigns that contain office documents, every time it emerges with new capabilities.

It is a multi-component malware that is capable of stealing credentials through browsers and email, Man-in-the-Browser attack and email harvesting.

With the last campaign, it includes a future called RunPE, that hides malware into the Legitimate process to evade the security scanners and inject its code into windows executable process.

Twitter gets physical – with support for hardware security keys

Twitter has given millions of users a way of making their accounts even harder to hack, with the introduction of support for physical keys.

Most Twitter users protect their accounts in the traditional way: username and password. As with any other internet account, such security is vulnerable to a number of threats including phishing or a user unwisely choosing the same password that they use elsewhere on the internet.

This is the primary reason that so many Twitter accounts have been compromised by hackers over the years.

High profile victims have included FC Barcelona, CNN, Burger King, Google CEO Sundar Pichai, Wikipedia’s Jimmy Wales, and Mark Zuckerberg.

One of the most notorious hijackings of a Twitter account occurred in 2013, when the Syrian Electronic Army managed to gain control of Associated Press’s Twitter account and posted a message saying that there had been an explosion at the White House and Barack Obama had been injured.

That bogus report knocked 61 billion dollars (briefly) off the Dow Jones Index.

If you’re sensible you have taken better steps than just a password to protect your Twitter account, and enabled two-step verification in the form of “Login Verification”.That adds an extra hurdle to the login process by asking for a code generated by a third-party app such as Google Authenticator and Authy to be be entered.

For most people, this level of protection is probably enough.

But what if you want to go even further, and wish to ensure an even high level of physical security to your Twitter account?

If that’s you then you’ll be interested to read news inside a blog post detailing Twitter’s latest steps to combat spam and abuse on the site.

Twitter has revealed that you can now use a physical USB security key which supports the universal two-factor (U2F) standard when signing in for login verification.

The small keyfobs require the logging-in user to physically press a button to confirm the identity, and because it will only work on the real Twitter website it provides a high level of protection against phishing sites.

Other websites which support FIDO U2F hardware keys – which are the same size and shape as a typical USB thumb drive – include Google, Facebook, Dropbox, GitHub, and SalesForce.