Ubiquiti $4bn VPN Breach Scandal Exposed | efani Partner TheNFG.com

You should use a VPN that provides a “kill switch” Using a VPN without a kill switch is a bad idea.

Recently, a brief VPN outage led to the arrest of a former Ubiquiti developer. This developer, Nickolas Sharp, has reportedly been charged with stealing data and trying to extort his employer Ubiquiti while pretending to be a whistleblower at the same time.

According to the indictment, after securing a job at another company, Sharp allegedly used his still functional privileged access to Ubiquiti’s systems at Amazon’s AWS cloud service to download large amounts of proprietary data.

During the holidays we are seeing more and more attacks but we do not expect those to come from within. To cover his tracks, Sharp had used a VPN connection to mask his real IP address. He then sent a ransom note to Ubiquiti using the same cover, demanding 25 bitcoin in exchange for a promise not to share the data.

January 2021 the Internet of Things (IoT) specialist Ubiquiti disclosed a network breach. The scope of which of the breach was questioned by an anonymous whistleblower a couple of months later. However, according to KrebsOnSecurity, it has now emerged that both incidents were the handiwork of the same individual, Nickolas Sharp, a senior developer at Ubiquiti, who has been charged for the crimes.

Here are some of the biggest risks of using a VPN without a kill switch: It leaves you vulnerable if your VPN connection drops, meaning that your ISP (and thus the government in some cases) can see what you’re up to online or access your IP address until your VPN is back up and running. Using free Wi-Fi can be dangerous, as it’s often not secure. You have to connect to the VPN, then manually disable the kill switch, then disconnect from the VPN. Only then can you browse the web without a VPN. We don’t recommend browsing unprotected.

The most dangerous part? Without the proper precautions, the user may not even know if or when that happened. To counteract this issue, several VPN services offer the “kill switch” feature. In essence, a kill switch cuts your connection to the internet altogether when your VPN connection fails.

Alibaba NYSE: BABA ECS instances targeted Cryptojacking | efani SAFE?

Alibaba ECS instances targeted in new cryptojacking campaign

Hackers have been found attacking Alibaba Cloud Elastic Computing Service (ECS) instances to mine Monero cryptocurrency in a new cryptojacking campaign.

Security researchers at Trend Micro discovered cybercriminals disabling security features in cloud instances so that they could mine for cryptocurrency.

ECS instances come with a preinstalled security agent that hackers try to uninstall upon compromise. Researchers said specific code in the malware created firewall rules to drop incoming packets from IP ranges belonging to internal Alibaba zones and regions.

These default Alibaba ECS instances also provide root access. The problem here is these instances lack the different privilege levels found in other cloud providers. This means hackers who gain login credentials to access a target instance can do so via SSH without mounting an escalation of privilege attack beforehand.

“In this situation, the threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials, or data leakage,” said researchers.

This enables advanced payloads, such as kernel module rootkits, and achieving persistence via running system services to be deployed. “Given this feature, it comes as no surprise that multiple threat actors target Alibaba Cloud ECS simply by inserting a code snippet for removing software found only in Alibaba ECS,” they added.

Researchers said that when crypto-jacking malware is running inside Alibaba ECS, the security agent installed will send a notification of a malicious script running. It is then up to the user to prevent ongoing infection and malicious activities. Researchers said it is always the responsibility of the user to prevent this infection from happening in the first place.

“Despite detection, the security agent fails to clean the running compromise and gets disabled,” they added. “Looking at another malware sample shows that the security agent was also uninstalled before it could trigger an alert for compromise.”

Once compromised, the malware installs an XMRig to mine for Monero.

Researchers said it was important to note that Alibaba ECS has an auto-scaling feature to automatically adjust computing resources based on the volume of user requests. This means hackers can also scale up crypto mining and with users bearing the costs.