For this discussion question, research an current article related to virtualization, such as:
- How virtualization weaknesses could be exploited during an attack.
- Creative uses of a virtualization environment for testing purposes.
Remember to include the URL of the article being referenced.
Candace T Nelson says
In the article titled Windows 10 Sandbox activation enables zero-day vulnerability dated September 7, 2020, author Ionut Ilascu reported that a reverse engineer (Jonas Lykkegaard) recently discovered a new Windows 10 zero-day vulnerability that allows for the creation of files in restricted folders that house vital files for the operating system. The vulnerability is limited to computers that have the Hyper-V feature enabled, which is Microsoft’s solution to creating virtual machines on Windows 10. The weakness was detected in system32 folder that requires elevated privileges to make changes, except when Hyper-V is active. The vulnerable Hyper-V component, Storage VSP – Virtualization Service Provider (storvsp.sys), allows attackers to create a file in system32 folder that contains malicious code that they can later execute.
While Jonas would normally have submitted his findings to Microsoft and waited for a patch to be released before communicating them, he reported that – in light of a recent reduction in the reward for detecting high-severity privilege escalation bugs from $20,000 to $2,000 – it is no longer worth it.
https://www.bleepingcomputer.com/news/security/windows-10-sandbox-activation-enables-zero-day-vulnerability/
Kelly Sharadin says
Hi,
Thanks for sharing this article. I have never had any luck with Hyper-V and I always look to turn it off on my personal machines (had to double check after reading this article). I also found the comment on the bug bounty interesting, I try to stay updated in that community. Theres a bit of contention surrounding companies failing to pay rewards for successful bug submissions. Which leads to an interesting question – if an bug hunter submits a vulnerability, is it unethical to not compensate them for their effort?
Humbert Amiani says
Hi Kelly,
I find it very unethical for companies that do not compensate the efforts of bug hunters, especially since some vulnerabilities can lead to damages way beyond a simple bug bounty payment if they chose to exploit it rather than come forward with it. However, bug bounties can also lead to inside jobs where bugs are “put in place” to be “discovered” by a bug hunter.
Kelly Sharadin says
Hi Humbert,
Excellent point about the inside job possibilites
Anthony Wong says
Agreed Kelly. Good call outHumbert!
However, I’m still curious on why Microsoft would lower the reward by 90%. $25k is next to nothing for Microsoft to pay out as this appears to be a huge bug/vulnerability that could cause a major headache for Microsoft.
Nicholas Fabrizio says
I agree with Anthony, it would be interesting to hear Microsoft’s rationale on why they lowered the reward so much on high severity vulnerabilities.
Candace T Nelson says
Interesting question, Kelly. The reduction from $25K to $2K was pretty drastic. It seems like Microsoft is attempting to disincent reverse engineers from detecting bugs (or perhaps the inside jobs that Humbert referred to below). While it may not be unethical (assuming there is no contractual agreement between the parties), it seems like a “penny wise, pound foolish” decision in that this is only one example where a bug hunter who would have normally waited until Microsoft released a fix to reveal the vulnerability but chose not to. How many other bug hunters feel the same way and will do the same thing? It will be interesting to see if – in the long run – Microsoft increases the reward.
Kelly Sharadin says
Virtual machines can offer a method of isolation for testing potentially harmful software from our host operating systems, thus creating a “safe” environment. Hackers have discovered a way to take advantage of virtual machines’ presumed safety. The ransomware group RagnarLocker has done just that; by running an infected virtual machine, RagnarLocker can bypass AV and detection. RagnarLocker, downloads and installs Oracle’s Virtualbox (a legitimate program) onto the victim’s machine and configures the device to allow for bi-directional sharing between the VM and host. Once the infected VM boots because of the cross-privilege previously configured, the VM can infect the host OS with ransomware, all while hiding behind a legitimate program. Pretty clever!
https://www.zdnet.com/article/ransomware-deploys-virtual-machines-to-hide-itself-from-antivirus-software/
Nicholas Fabrizio says
That is a clever way to infect a host machine with ransomware. The article says the RagnarLocker group usually exploits exposed remote desktop protocols to install the infected virtual machine and with many employees working remote right now this could be a big concern for some organizations.
Zhuofu Wang says
Agreed. This is also true when using virtual machines to analyze viruses. Pay attention to two-way communication to prevent the host from being reversely infected.
Kelly Sharadin says
Great point! Nothing worse than RE gone wrong.
Nicholas Fabrizio says
Title: Application isolation and virtualization provide a false sense of cybersecurity – It’s time for a better solution
URL: https://www.scmagazine.com/home/opinion/executive-insight/application-isolation-and-virtualization-provide-a-false-sense-of-cybersecurity-its-time-for-a-better-solution/
One benefit of virtualization today is that cybersecurity professionals can easily create a virtual machine that can run guest operating systems on top of the actual host operating system all while keeping both operating systems isolated from each other. This is great for testing new software or dealing with suspected malware and not having to worry about the host os being compromised. However, as discussed in this article virtual machines are not completely secure and back in July 2019 a vulnerability was found, CVE-2019-14378, which could allow malware to execute a “virtual machine escape” which allows the guest operating system to attack the host operating system. A internet security firm was able to demonstrate the vulnerability from a VMware workstation in less than 90 seconds by “first exploiting a heap overflow bug in a Microsoft Edge web browser and then they exploited a bug within the VMware hypervisor”. The article then goes on to describe the best way to mitigate this vulnerability is by adding embedded runtime integrity controls.
Candace T Nelson says
Amazing article, Kelly and that is a very good point Nicholas. The majority of the workforce at my company continues to work remotely (since we are headquartered in NYC), so intend to bring this article to the attention of the security branch of our IT department. The last thing mine, or any other company for that matter, needs to be dealing with right now is a security breach!
Candace T Nelson says
Sorry Nicholas, I intended for this to be associated with your comment about Kelly’s article!
Candace T Nelson says
Hi Nicholas – I followed the link to the NIST National Vulnerability Database (NVD) to familiarize myself with the ranking system (e.g. 8.8 out of 10) and noted that this vulnerability has been modified since it was first reported back in July 2019. However, the NVD awaits reanalysis that they say may result in further changes. It will be interesting to see if the already high score goes up or down?!
Amelia Safirstein says
Hi Nick,
This is a great point. Virtual machines often create a feeling of total safety and it’s easy to forget that vulnerabilities almost always exist. This just goes to show the importance of supplemental controls or control enhancements in certain situations.
Zhuofu Wang says
Aqua’s cybersecurity research team found there has a type of attack, which aimed at the container. The attacker target on the misconfigured Docker API, build and run a malicious image on the host to hijack resources from the host for digging cryptocurrency. This method of building images directly on the target host bypasses the host’s defense mechanism. Due to the image is not pulled from a remote source, the static scanner of the host will not generate the result which points out this malicious image. This team believes the effective way to solve this issue is to keep the Dynamic Threat Analysis scanning.
URL: https://blog.aquasec.com/malicious-container-image-docker-container-host
Kelly Sharadin says
Hi Zhuofu,
Interesting article. I know active threat hunting is becoming the next wave of IR and I wonder how this will impact pentests. Cloud environments are the zenith of virtualization and with the rapid expansion of scabiliablity – I’m sure the prevalance of misconfigurations is high.
Zhuofu Wang says
Agreed Kelly. Configuration errors will bring security risks, especially more and more companies choose cloud servers, such as the AWS. If there is no periodic security scan for its configured server, then the risk is difficult to find.
In Australia, there is an S3 bucket that is incorrectly configured as public. Hundreds of thousands of driver’s license information stored in it were leaked, and this public bucket was been scanned since 2 years ago.
Kelly Sharadin says
Wow, I’ve gotten into scraping public breaches yet but this interesting.
Anthony Wong says
At the start of COVID-19, many organizations soon realized they did not have the infrastructure to handle all of its employees to work remotely. In order to quickly improve infrastructure capabilities to handle the surge of remote workers, organizations went to leverage public cloud solutions. Immediately, employees could reap the benefits and replicate the system performance outside of the office and continue to perform daily tasks. However, there are concerns with quickly implementing a cloud solution on the fly. One concern is the lack of planning in cloud security architecture and overall architecture strategy. Poor planning can create security gaps on user governance, identify access management, and misconfigurations to name a few. Without a thorough cyber security plan and a team of cloud experts, these security gaps can create opportunities for attackers to infiltrate an organization’s network and potentially lead to a data breach.
these security gaps create opportunities for attackers to infiltrate an organization’s network and potentially lead to a data breach and fines from regulators.
URL: https://www.infosecurity-magazine.com/opinions/misconfiguration-cloud/
Candace T Nelson says
Great read Anthony! I noted the author’s statement that a complicating factor in the rush to public computing is that organizations may not be familiar with the Shared Responsibility Model that requires the vendor to be responsible for the security OF the cloud and the customer to be responsible for the security IN the cloud. Coupled with the fact that customers often put their most sensitive data in the cloud, failure to implement sufficient controls (e.g. role based access) increases the vulnerability of this information.
Anthony Wong says
Thanks Candace! I completely agree. I thought it was an important item that these organizations ultimately forgot about and rightfully so. The amount of pressure coming from the Leadership team to push the teams to implement the Cloud solution as soon as possible might make them overlook this aspect.
Amelia Safirstein says
The number of breaches has increased substantially since COVID-19 started affecting organizations around the world. The first quarter of 2020 had 273% the breaches that occurred during the first quarter of 2019. You can find more stats here: https://www.cnbc.com/2020/07/29/cybercrime-ramps-up-amid-coronavirus-chaos-costing-companies-billions.html
Humbert Amiani says
An Unfortunate Reality for Virtual Systems
There is a rise in cyberattacks as per Europol, due to the increase in remote and telecommuting initiatives employed by most organizations lately. Many organizations have resorted to running Virtual Machines, to which remote employees can connect to, and carry out their daily duties. One issue facing Virtual Machines is the increase in recurrence of data loss and application back-ups being deleted. Whereas VMs’ provide convenience to organizations as they enable them run multiple instances of machines on one server as opposed having several/separate servers.
Despite there being several causes of data loss to VMs’ such as malware, hardware/software malfunction, RAID damage and hacking attacks, human error however remains the supreme cause of data loss. VMs’ also face hardware problems like those of traditional physical systems like faulty drives, controllers and server components. Combining multiple/separate virtualization solutions in the same environment also increases the potential of data loss exponentially, due to the added complexity of integrating the solutions.
To reduce the impact or possibilities of data loss in virtual environments, ensure the implementation of a good backup rotation scheme, especially since advanced persistent threats are common. Have multiple backups in different physical locations. Having an equally capable backup virtual solution is also vital to ensuring that any interruption in the main system does not cause an overload to the backup system.
https://www.infosecurity-magazine.com/opinions/unfortunate-reality-virtualized/?&web_view=true
Anthony Wong says
Hi Humbert,
Great article that provides insight into some issues with Virtualization
Some key takeaways for me:
1. I learned what a RAID controller is
2. Human error continues to be a common theme for causing loss or risk.
3. Virtual Machines face hardware issues similar to physical servers.
4. Back up data and software on a regular basis and move them to another location
Thanks for sharing!
Humbert Amiani says
Anthony,
I’m glad you had some takeaways from the article. It is intriguing how many assumptions we make of VMs’ being a safer option. Most of the time we forget that they still face similar issues as physical systems especially when it come to having backups for both the data created/processed and the VM platform itself.
Nicholas Fabrizio says
Hi Humbert,
Thanks for sharing that article it was interesting. It provided a lot of great tips for using virtualization such as sticking to one solution within one environment to help keep the layers of complexity down and as well as keeping a regular backup routine. The article mentioned that although virtualization can save time it does not avoid the potential of files/data from being lost or damaged due to human error, advance persistent threats, and more. Which is why a plan on how to respond is a must for when such an incident occurs.
Humbert Amiani says
Hi Nicholas,
It’s by no surprise that virtualization has made us somewhat complacent especially when it comes to security. We often assume working in a virtual environment we are safe from threats, but we forget that the environment is running on some physical hardware and we are prone to human errors as well.
Eugene Angelo Tartaglione says
I found this interesting article about Verizon Communications and 5G
https://www.verizon.com/about/news/verizon-fully-virtualized-5g-data-session
“Verizon recently completed the first end-to-end fully virtualized 5G data session in the US. This technology milestone provides the foundation for Verizon to rapidly respond to customers’ varied latency and computing needs by providing the foundation for wide-scale mobile edge computing and network slicing.” This was all done during August 2020 – As Verizon extends its MEC leadership, virtualization in the Radio Access Network (RAN) becomes even more important. Along with this, Verizon said they have coordinated with many partners in this demonstration of this successful virtualization in the Radio Access Network. They worked along side Samsung, which provided its commercial 5G virtualized RAN solution, consisting of a virtualized Central Unit (vCU), a virtualized Distributed Unit (vDU), and radio units.
Intel Who provided its Intel Xeon Scalable processor, Intel FPGA Programmable Acceleration Card (Intel FPGA PAC) N3000, Intel Ethernet Network Adapter XXV710 to deliver the processing, acceleration and connectivity requirements, and its FlexRAN software reference architecture.
& Lastly, Wind River, who providing Verizon with a cloud-native, Kubernetes- and container-based software infrastructure, which delivers ultra-low latency and high availability for national deployment of virtualized 5G RAN.
Anthony Wong says
Hi Eugene,
This is exciting news for 5G. However, after reading other students articles about weaknesses in virtualization, I’m concerned about the security of a full wireless 5G network. It’ll be crucial for Verizon and others to ensure these networks are fully locked down with the highest security standards and policies.
Amelia Safirstein says
A cybersecurity firm found Monero cryptojacking code in an AWS Community Amazon Machine Image (AMI) that their client was using. The Monero code was present in the AMI when it was first made available so the creator of the AMI seems to be behind the infections. Cryptomining can have high overhead costs because of the computing power needed. Monero allows the cryptojacker to use the computing power of infected virtual computers to mine cryptocurrency elsewhere. So, the AMI user is basically paying the cryptojacker’s AWS bill. Amazon has verified AMIs available for purchase in their store but some organizations opt for the free, community AMIs that are made available from unverified AMI builders. Amazon makes it clear that use of the unverified AMIs is at the user’s own risk. This story highlights how important it is for a company’s decision makers to understand the risks associated with cost cutting in tech and security situations. Spending the money on a verified AMI may have saved more money in the long run and spending the money to hire a security firm definitely cut their future overhead costs.
https://www.darkreading.com/cloud/cryptominer-found-embedded-in-aws-community-ami/d/d-id/1338713
Kelly Sharadin says
Great article – you’re right cryptomining is a massive resource hog! I’ve never even thought of using VMs for cryptomining as way to get around this. I would love to see a business analysis report that examines the amount of money businesses have saved by investing in cloud technology vs the amount of money they’ve lost due to cybersecurity incidents resulting from a poorly configured clour environment.
Anthony Wong says
I thought it was pretty clever for someone to provide this AMI for free and embed crypto mining in the background. It’s also pretty remarkable that they were able to do this for five years without being discovered. The article notes “Amazon EC2 lets users create community AMIs by making them public so they’re shared with other AWS accounts.” I’d like to know if there is some kind of verification process for these users to publish the AMIs to other AWS accounts. If not, there could potentially be more malicious AMIs that have not been discovered yet.
Bryan Garrahan says
I’m curious if there is some type of verification process as well. I’m also curious if there are any reviews in place that could potentially detect activity such as or similar to the cryptomining. However, my gut tells me there likely isn’t and the investigation into the activity was more of an incident response rather than a protective or detective control. From the looks of it perhaps some kind of log review could have identified this earlier.
Amelia Safirstein says
There actually is a verification process for a number of the AMIs but those are made available at a cost to the end users. It seems like security tends to be one of the first things to go when a small company or a start-up needs to cut costs.
Bryan Garrahan says
https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/
This article doesn’t highlight security issues with virtualization but it’s written by Brian Krebs on his site krebsonsecurity.com which I frequently visit almost daily. Since I started my career I have tried several sources in order to get my security information but have found Krebs to be my go to due to his reputation as well as his ability to inform his readers in a clear and concise way. i read this article a few months back and immediately I could see the correlation between his writing and our ethical hacking curriculum. Krebs writes, “Besides, almost anything you want to learn by doing can be replicated locally. Hoping to master common vulnerability and exploitation techniques? There are innumerable free resources available; purpose-built exploitation toolkits like Metasploit, WebGoat, and custom Linux distributions like Kali Linux that are well supported by tutorials and videos online. Then there are a number of free reconnaissance and vulnerability discovery tools like Nmap, Nessus, OpenVAS and Nikto. This is by no means a complete list. Set up your own hacking labs. You can do this with a spare computer or server, or with older hardware that is plentiful and cheap on places like eBay or Craigslist. Free virtualization tools like VirtualBox can make it simple to get friendly with different operating systems without the need of additional hardware”. He notes that finding Cybersecurity professionals with hands on experience is one of the bigger challenges facing HR departments so I took some of Krebs’ advice and actually have messed around in a web based virtual environment in order to familiarize myself with some of the tools he mentioned such as Kali, NMAP, Wireshark, and Snort.
Bryan Garrahan says
This article outlines a vulnerability from back in February that existed in Intel’s KVM virtualization software running on a Linux kernel-based virtual machine . The vulnerability, which was tracked as CVE-2020-2732, was due to what appeared to be unfinished code on the platform. The article furthers, “The function vmx_check_intercept within the Linux kernel even has an “ALL: verify more intercepts…”” but it seems that this vulnerability is due to the fact that this feature was not verifying all interceptions and, as such, could end up emulating instructions not allowed by the virtualization hypervisor, because the behavior until now was to continue in the default code path”. Once the vulnerability was identified three patches were deployed in order to remediate the KVM fixes. As this vulnerability was identified in February I attempted to find a more recent article regarding status of the CVE-2020-2732 vulnerability but was not successful. However, it appears the best solution at this time is to disable emulation instructions until the code has completed on the platform.
Bryan Garrahan says
Link to the article: https://www.securitynewspaper.com/2020/02/25/cve-2020-2732-once-again-experts-found-critical-vulnerability-in-intel-kvm-virtualization/
Jerry Butler says
Poor control over VM deployments can lead to isolation breaches in which VMs communicate. Attackers can exploit this virtual drawbridge to gain access to multiple guests and possibly the host. Host and guest vulnerabilities: Host and guest interactions can magnify system vulnerabilities at several points Configuration errors will bring security risks, especially more and more companies choose cloud servers, such as the AWS.
https://threatpost.com/imperva-data-breach-cloud-misconfiguration/149127/