The COVID-19 pandemic forced the world to rely even more heavily on technology than we already did. Bad actors continue to force businesses to review and restructure security practices in order to keep up.
When coronavirus spread like wildfire across the globe, nearly the entirety of the world’s workforce was sent home to work remotely. It threw the global economy into a dive, saw unemployment rates skyrocket and forced people to find new ways to do things. The situation brought out the best in humanity, but it also brought forth the worst. Bad actors rubbed their hands together, smiled, and went to work creating attacks on businesses worldwide. The attacks are indiscriminate of company size or industry, threat actors are interested in whatever information they can get. Securing data storage solutions, something largely underappreciated pre-pandemic, suddenly became important.
Businesses began to wonder if they would be next and if they could survive such an attack. Companies started to do security reviews, making sure access controls were set correctly, that patches were up-to-date and there were no major weaknesses that needed to be addressed. In doing this, many organizations simply forgot something very important: Configuration of data storage. You can set all of the protections you want around your storage solutions, your business information and internal systems, but if you leave something open to the internet due to misconfiguration, those protections don’t mean anything.
For example, over the last three years, malware attacks on Docker and Kubernetes systems have increased in intensity. This is largely due to the prominence of both in cloud services, which are being used at an increasing level every day. But it is known that these attacks are out there, that there are specific malware strains directed at these systems. Even with it being a known issue, Docker and Kubernetes systems (and likely others) are still being misconfigured, leaving a glaring opening for malware deployment.
We have discussed the need for proper configuration of data storage in the past, and now there’s a new strain of malware called Blackrota. From ZDNet.com:
“The latest of these malware strains was discovered last week by Chinese security firm Qihoo 360. Named Blackrota, this is a backdoor trojan that is basically a simplified version of the CarbonStrike beacon implemented in the Go programming language.
Only a Linux version was discovered so far, and it is unclear how this malware is being used. Researchers don’t know if a Windows version also exists, if Blackrota is being used for cryptocurrency mining, or if it’s used for running a DDoS botnet on top of powerful cloud servers.”
One of the few things known about Blackrota is that it relies on misconfiguration of Docker servers. Any business that uses Docker systems are advised to review the official Docker documentation. Make sure you have everything secured and proper authentication protocols in place.
Any technology that is out there, whether it is new or has existed for years, should always be thought of as a potential target for a bad actor. Security is a major concern for businesses today, especially in the last 8 months or so. Any piece of technology that is used by a business should be properly secured and backed up, nothing is off-limits anymore. And, especially if it’s new technology, if you’re not sure how to properly set up a piece of technology or ensure that it is secure, hire an expert!