Are your Prometheus servers and exporters secure? Probably not

Infosec in brief There’s a problem of titanic proportions brewing for users of the Prometheus open source monitoring toolkit: hundreds of thousands of servers and exporters are exposed to the internet, creating significant security risks and leaving organizations vulnerable to attack.

Aqua Security last week reported that it discovered more than 296,000 internet-facing Prometheus exporters (tools that export info from other infosec tools into Prometheus) and 40,000 servers were exposed to potential risks.

Unfortunately, this isn’t so much a problem with Prometheus itself, as the tool’s documentation “presume[s] that untrusted users can view information about Prometheus, specifically the Prometheus HTTP endpoint, logs and debugging information” if proper steps aren’t taken to protect the instances from the wider internet, Aqua explained.

“The concept of information disclosure through publicly accessible Prometheus servers or exporters is not new,” Aqua added, citing numerous prior reports on the issue. Despite prior warnings, “the number of exposed instances remains alarmingly high.”

Aqua’s researchers wrote that this is far from being a theoretical risk. They were able to access unauthenticated Prometheus servers to retrieve data including authentication tokens, API keys, Docker registries, system images and all sorts of corporate information. Prometheus exporters are also vulnerable to “RepoJacking” – taking over GitHub projects to implant malicious code.

Aqua researchers also discovered that the /debug/pprof endpoint – designed to profile remote hosts – can be exploited to execute denial of service attacks on affected systems. The security shop discovered that the issue with pprof had been pointed out before, but appears unresolved.

“In our view, this vulnerability demands attention and mitigation,” Aqua asserted. But upon contacting the Prometheus security team, Aqua researchers were told “Supporting good production practices trumps protecting users from gross misconfigurations.”

In other words, you have some work to do locking down your Prometheus servers and exporters. Mitigation recommendations are included in Aqua’s report.

Critical vulnerabilities of the week: Oh, there you are, Apple

Fashionably late to the party as usual, Apple skipped the Patch Tuesday festivities and published patches for a bunch of its devices on Wednesday instead.

Included in the laundry list of patches for everything from visionOS to Safari are a few critical issues – like a CVSS 9.8 flaw in open source software used in iOS, and an unspecified logic issue in macOS Sequoia audio components that could let an app execute arbitrary code with kernel privileges.

Get patching!

Citrix Netscaler targeted by brute-force password spray campaign

German cyber security officials are warning of a brute-force “password spraying” attack campaign targeting Citrix Netscaler gateways in critical infrastructure sectors.

The Federal Office of Information Security (BIS) in Germany reported it was tracking a rise in brute force attacks that stands out only in terms of the sheer volume of attacks, with little more information to suggest an origin or purpose to the campaign.

Citrix acknowledged the surge in attacks, and recommended using multi-factor authentication and policy tweaks to stymie the assault.

BIS officials are warning anyone using Citrix Netscaler to deliver web applications to double-check the security of their systems, and do all the necessary things needed to protect the sort of public-facing servers – like Netscaler gateways – that are typically hammered by repeated login attempts.

You know – like enforcing strong passwords, enforcing MFA, increasing wait time between unsuccessful login attempts, etc.

PII marketplace busted by feds

Rydox, an online marketplace dedicated to selling stolen personal information and various cyber crime tools, has been busted by US authorities after an eight-year run that netted its administrators more than $230,000, the US Department of Justice revealed last week.

Two of the folks behind the site, Ardit Kutleshi and Jetmir Kutleshi, were arrested in Kosovo and are awaiting extradition to the US. A third, Shpend Sokoli, was arrested in Albania and will be prosecuted there. The website, reportedly hosted in Malaysia, was taken offline by authorities in that country with the assistance of the FBI.

According to the DoJ, Rydox has been used to conduct 7,600 sales of PII, and more than 18,000 users have purchased tools from the service. They allegedly put the purloined PII to use in various scams and criminal schemes.

If convicted, the two Kutleshis each face 20 years in prison for money laundering, ten years for access device fraud, and five years for each of two counts of identity theft and one count of conspiracy to commit identity theft and aggravated identity theft.

Beware requests for video meetings that require unfamiliar software

Cado Security Labs has spotted a campaign that, while targeting Web3 and crypto people, is still a threat to everyone else.

The campaign targets Windows and macOS users using a fake virtual meeting software called Meeten – though it’s entirely possible that name will be different soon, as the crooks behind the campaign have been switching it up with regularity.

Whatever name it’s going by, Meeten is merely the Realst crypto stealing malware, and the miscreants running this campaign are trying to trick victims into installing it by claiming it’s their preferred video conferencing tool. Once Meeten is installed, it goes to work invading wallets and stealing cryptocurrency.

But that’s not all: Along with targeting crypto wallets, Realst is also able to steal Telegram credentials, stored bank card details, Keychain information, browser cookies and autofill credentials.

In short, beware anyone approaching you with a suspicious investment proposition and a request to install unfamiliar software.

BeyondTrust API key pilfered

Identity and access management software firm BeyondTrust last week reported that an API key for its Remote Support SaaS offering was compromised, allowing for password resets of local accounts. But trust them – it’s gonna be okay.

BeyondTrust stated it revoked the key as soon as it realized what had happened, notified all impacted customers, and suspended affected instances, all on the same day – but it still took a few for the issue to be spotted.

“Potentially anomalous behavior was detected by our Information Security team on December 2nd,” BeyondTrust wrote. “During our initial analysis, the anomalous behavior was confirmed on December 5th, 2024, and a limited number of impacted instances of Remote Support SaaS were identified.”

It’s not clear what might have been done to affected Remote Support SaaS customers in the intervening few days, and BeyondTrust said its investigation is ongoing.

Those affected should have been notified by now – but it might not hurt for Remote Support SaaS customers to contact the vendor just in case. ®

READ MORE HERE