Magpie
Mockingbird
Security Newsletter
GitHub
www.openraven.com
Slack Community

Open Raven Data Security Newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Don't miss a post

Subscribe to receive email updates for upcoming newsletters.

RSS Feed
January 25, 2023

Meta Fined More Than $600 Million For Facebook and Instagram Privacy Breaches

January 5, 2023

Facebook and Instagram parent company Meta has been issued two fines by the Irish Data Protection Commission. The fines, totalling 390 euros (606 million dollars) were given as users were forced to agree to personalized adverts, breaching privacy rules. Fines issued to Meta by the Data Protection Commission exceed $1 Billion USD, with WhatsApp potentially facing additional fines.  

Data Security Perspective: Companies must ensure that they comply with all data protection laws, as huge fines will be issued. 

Scripps Health, Avalon Healthcare Reach Settlements After Data Breaches

January 3, 2023

Healthcare company Avalon Health has reached a $200,000 settlement with the state of Oregon and Utah concerning data breaches. The data breaches occurred in 2020 and led to threat actors gaining access to the PII and health data of 14,500 employees and patients after a phishing attack. In addition to the fine, the settlement requires Avalon to create a security program with policies and procedures to ensure compliance with data privacy laws. Along with Avalon, Scripps Health, another healthcare company, has also been fined for a data breach. In 2021 a ransomware attack led to hospital outages, with threat actors gaining access and stealing patient data. Scripps has been fined $3.5 million for the breach and reportedly lost $112.7 million in lost revenue due to the attack. 

Data Security Perspective:  Organizations dealing with sensitive information, especially health data, need to have practices in place to prevent any breach or exposure of that data. Many companies are facing huge fines due to not having appropriate security programs in place.

Deezer Admits Data Breach That Potentially Exposed Over 220 Million Users' Info

January 4, 2023

Music Streaming platform Deezer has announced that they suffered a data breach that may have exposed the data of over 220 million users. The breach occurred in 2019 when a third-party partner experienced a breach. The data, sold on a cybercrime forum, contained user information, including names, dates of birth, and email addresses from across Europe, The United States, and South America. 

Data Security Perspective:  Using a third party can sometimes create data exposure and breach risk. Companies should ensure that when using a third party, they have adequate security measures. Additionally, affected users should be aware of any fraudulent activity that may arise from having their information exposed. 

McGraw Hill's S3 Buckets Exposed 100,000 Students' Grades and Personal Info

December 20, 2023

Education company McGraw Hill has suffered a data breach due to exposed S3 buckets. The misconfigured buckets contained information on over 100,000 students and source code and keys, totaling over 22 terabytes of data. The exposed data included names, email addresses, grades, performance reports, and syllabus material. The misconfigured bucket appears to have been exposed since as early as 2015. 

Data Security Perspective: Misconfigured S3 buckets commonly cause data exposures. S3 users should configure buckets with appropriate security configurations and monitor them for compliance. The Open Raven Data Security Platform and Magpie, our open-source CSPM, can alert users to misconfigurations and other security policy violations.

Related Magpie Rules:  aws-storage-s3-default-encryption-kms.yaml | aws-storage-s3-bucket-default-lock-enabled.yaml | aws-storage-s3-bucket-level-public-access-prohibited.yaml | aws-storage-s3-bucket-public-write-prohibited.yaml | aws-s3-best-practices.yaml

DATA SECURITY THOUGHTS...

Data security thoughts...

December 13, 2022

Data Leak Exposes Private Profile Information of 5.4 Million Twitter Users, Dumped for Free on Underground Forum

December 2, 2022

 The private information of 5.4 million Twitter users is currently being shared for free on an underground forum. The data was exposed in July 2021 by a vulnerability in Twitter’s API, allowing unauthorized parties to scrape profile information using phone numbers and email addresses. Originally malicious actors were selling the stolen data on underground forums however, the data appears to have been dumped. Some researchers believe there are multiple data dumps of Twitter users from multiple data leaks, possibly including the data of 17 million users. 

Data Security Perspective: Twitter users should be aware of phishing and scam attempts that may result from having profile information leaked. Users should approach emails with scrutiny, as a malicious actor may send carefully crafted phishing emails in order to gain financial or other sensitive information.   

Third-Party Data Breach Impacts 119 Pediatric Practices, 2.2M Patients

November 29, 2022

Third-party medical IT provider, Connexin Software, notified over 2.2 million patients of a data breach. Noticing anomalous network activity, the company determined an unauthorized party had accessed an offline set of patient data and removed some data. The exposed data included Social Security numbers, treatment, billing, and insurance information, along with personal information of pediatric patients and parents. Connexin Software is offering a year of child identity monitoring services to those affected and notifying affected patients.

Data Security Perspective: Using a third party can, in some cases, be a risk for data exposure and breaches. Companies should ensure that when using a third party that they have adequate security measures in place. Additionally, affected users should be aware of any fraudulent activity that may arise from having their PII exposed. 

A Confused Deputy Vulnerability in AWS AppSync

November 25, 2022

Researchers at DataDog have identified a vulnerability in AWS AppSync, that could allow unauthorized access to AWS resources. AppSync is an AWS service that developers use to create serverless GraphQL and Pub/Sub Apis. In order to use AppSync, a role is created with the necessary IAM permissions. DataDog researchers determined that the ARN sent in the request could be modified to a different ARN that they don’t have access to, bypassing validation. Exploiting this vulnerability could enable threat actors to gain access and control to various AWS services. Another issue with this vulnerability is that detection can be challenging. The requests made, malicious or not, would appear as regular AppSync requests and, therefore would not necessarily appear out of the ordinary.

Data Security Perspective: Amazon patched this vulnerability in September and announced no accounts were affected. This research highlights how new vulnerabilities are continually coming to light. Users should always keep up to date with patches.

Infosys Leaked FullAdminAccess AWS Keys On PyPi For Over A Year

November 18, 2022

Engineer Tom Forbes has discovered that IT company InfoSys accidentally published AWS keys to Python Index Project (PyPi). Metadata inside of an internal package contained the AWS access key and AWS secret key with full permissions belonging to InfoSys, which while it had been published in February 2021, was still active. As a result, an S3 bucket containing clinical data related to John Hopkins. However, the data was not verified to see if it contained sensitive medical data. 

Data Security Perspective: Companies using AWS and IAM should follow best practices for assigning roles and permissions so that in the event of credentials leaking, access can be minimized, along with temporary credentials. In addition, developers need to be aware of publicly uploading files containing developer secrets. 

Other News…

Malicious proof-of-concepts are exposing GitHub users to malware and more

LastPass' latest data breach exposed some customer information 

Failure of officials to follow policy caused California gun owners’ data leak

Recent data breaches expose medical data, other consumer info

Hackers use new, fake crypto app to breach networks, steal cryptocurrency

Security Bulletins

GCP

  • GCP-2022-024
  • GCP-2022-023

AWS

  • AWS-2022-009
  • AWS-2022-008
DATA SECURITY THOUGHTS...

Data security thoughts...

November 10, 2022

Sensitive Data of 65,000+ Entities in 111 Countries Leaked Due to a Single Misconfigured Data Bucket

October 27, 2022

Researchers at SOCRadar have identified what is being deemed as the most significant B2B leak in recent history. A misconfigured Microsoft-maintained Azure blob led to the exposure of 65,000 entities. The blob contained PII, backups, user information, and other business documents totaling 2.4 terabytes of data. Naming the leak "BlueBleed", SOCRadar details the second part of BlueBleed, which includes six other buckets affecting 150,000 companies. Microsoft has now secured the blobs.

Data Security Perspective: Organizations should ensure their services follow security policies to avoid unauthenticated access to data, especially sensitive data. Misconfigurations of cloud services are still leading to large data breaches. Companies using cloud services to host PII should ensure data is appropriately secured. 

Toyota Dev Left Key To Customer Info On Public GitHub Page For Five Years

October 11, 2022

Toyota announced personal customer information may have been exposed on GitHub for almost five years. In an apology, the company detailed how source code containing an access key was mistakenly uploaded to GitHub in 2017 by a third party that managed the source code. The leaked information contained the data of 269,019 customers, including email addresses and customer management numbers; however, Toyota stated that name and payment information was not included. 

Data Security Perspective: Toyota issued a notification and an apology to customers affected. It also advised customers to be aware of phishing attempts or suspicious emails. Developers should ensure they do not post access keys and other developer secrets in public-facing Git repositories. 

Shein Data Breach Results In $1.9m Fine For Parent Company

October 13, 2022

An investigation into Chinese online retailer Zoetop resulted in a $1.9m fine from a 2018 data breach. Zoetop, the parent company of SHEIN and Romwe, suffered a data breach in 2018 that resulted in the theft of payment information from millions of customer accounts. According to the New York Attorney General, the company failed to have adequate security measures and tried to cover up the data breach. 

Data Security Perspective: Organizations dealing with personal, sensitive, and payment information need to ensure they are protecting the information with proper security measures. In the event of a breach, customers need to be informed to protect their information. The use of a DSPM, such as Open Raven can help organizations be aware of what data they store and where and ensure it is securely configured. 

Optus Confirms 2.1 Million ID Numbers Exposed In Data Breach

October 4, 2022

Australian telecom company Optus confirmed the exposure of 2.1 million customers' government identification numbers in a data breach. Last month the company suffered a cyber attack that exposed the PII of 9.8 million customers, including email addresses, phone numbers, and dates of birth. Of the 9.8 million customers, 2.1 million had government IDs compromised, with 1.2 million being current and valid. The company is now under investigation to determine if the company took precautions in handling customers' PII and could potentially be fined millions of dollars.

Data Security Perspective:  Since the data breach occurred, a partial set of the data has been for sale online, with other customers complaining of scam attempts. Customers should take proper precautions and be aware of fraud attempts that can arise from their IDs being exposed. Companies handling PII need to make data security a top priority to avoid exposures such as this from occurring, in addition to avoiding heavy fines that they will face. 

Rancher Stored Sensitive Values In Plaintext, Exposed Kubernetes Clusters To Takeover

September 28, 2022

Rancher, a popular Kubernetes tool, had been storing sensitive data in plaintext on Kubernetes objects. The information included passwords, API keys, and account tokens and could be available with low privileges to anyone with access to specific Rancher Kubernetes objects. An exploit of this bug could result in an unauthenticated user gaining control of a Kubernetes cluster.

Data Security Perspective: Rancher has been patched, and users should immediately update to the latest version. Rancher are also advising users to check downstream for signs of a breach and to rotate credentials that may have been affected. 

Other News…

2K Games Warns Users Their Stolen Data Is Now Up For Sale Online 
Hackers Stole Data From US Defense Org Using Impacket, CovalentStealer
Former Uber CSO Convicted Of Covering Up Megabreach Back in 2016
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
Malicious OAuth Applications Abuse Cloud Email Services to Spread Spam
Hundreds of Microsoft SQL Servers Backdoored with New Malware
Chase UK's App-only Bank Hit with 24-hour Ongoing Outage

Security Bulletins

GCP

  • GCP-2022-020
DATA SECURITY THOUGHTS...

Data security thoughts...

September 27, 2022

Shiba Inu Cloud Credentials Leaked In A Major Security Breach

September 8, 2022

Researchers at Pingsafe found leaked AWS credentials belonging to cryptocurrency Shiba Inu. The leaked AWS keys were posted in a commit to Shiba’s public Github repo by one of Shiba’s developers and were valid for two days. Having leaked AWS credentials opens the user to a large range of issues, as if they are abused the AWS account can be fully accessed.

Data Security Perspective: Leaked developer secrets can open an organization to a host of issues, including abuse by threat actors. Users should ensure credentials are not committed to public repositories or hard coded into applications. 

TikTok Denies Security Breach After Hackers Leak User Data, Source Code

September 5, 2022

Social media company TikTok denies that the company has suffered a large breach. Hacking group “AgainstTheWest” posted on a hacking forum claims of TikTok and WeChat being breached using  screenshots of databases as evidence. The database includes over 2 billion records, including 790GB of user data, source code, authentication tokens, and server information. TikTok claims the data does not belong to TikTok however, some researchers have analyzed the data and believe it is legitimate.

Data Security Perspective: Organizations need to ensure they have secure practices in place, especially when dealing with user and customer information. 

Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information

September 1, 2022

In a report by Symantec’s Threat Intelligence team, the group identified that over three-quarters of the applications they analyzed contained AWS keys. Out of 1,859 analyzed apps which included Android and iOS, 77% contained valid AWS access tokens to private AWS cloud services, with 98% of the apps containing AWS tokens being iOS applications. The exposure of keys is mainly coming from vulnerable libraries that provide full access to the cloud account, as opposed to for singular files. 

Data Security Perspective: Exposed credentials are an ever-growing concern for applications, either from developers accidentally exposing credentials or, as this story highlights, the problem of third parties leaking credentials. Users need to ensure credentials are not hardcoded into applications, especially if the keys have full access permissions. 

Manx Care Faces £170k Fine Over Patient Data Breach

August 18, 2022

Manx Care, the healthcare provider of the Isle of Man is facing a £170k fine if they don’t implement measures to protect patient data. The penalty is the result of a breach that occurred last year when Manx Care sent an email containing a patient’s confidential data to 1,870 recipients. The fine will go into place if security measures are not taken out by the end of the year. 

Data Security Perspective: Organizations dealing with sensitive information, especially health data, need to make sure to have practices in place to prevent any kind of breach or exposure of that data. This story highlights how high the fines can be for health data exposure, even if it is the data of one person. 

DoorDash Discloses New Data Breach Tied To Twilio Hackers

August 26, 2022

https://www.bleepingcomputer.com/news/security/doordash-discloses-new-data-breach-tied-to-twilio-hackers/

Food delivery service DoorDash has disclosed a data breach that exposed customer and employee data. The company announced that a threat actor used stolen credentials from a third-party to gain access to their systems. The third party appears to be Twilio, who recently suffered a large data breach. The data includes email addresses, delivery addresses, names, and phone numbers with some affected customers having order and partial credit card information exposed. 

Data Security Perspective: This story highlights the issue of third-party data breaches, with one data breach leading to many other follow-on data breaches. Affected customers should be vigilant against phishing attacks that may try to use their personal information. 

Other News…

Customers' Data Of This Cloud Platform Is Exposed

Security Breaks: TeamTNT’s DockerHub Credentials Leak

U-Haul Discloses Data Breach Exposing Customer Driver Licenses

LastPass Discloses Data Breach

49ers Data Breach May Have Exposed More Than 20,000 People to ID Theft, Documents Say

Samsung Confirms Data Breach, Personal Customer Data Stolen

Data Breach Takes Down IHG Hotel Group Booking System, Impacting Holiday Inn, Kimpton And More

DaVita Inc. Confirms Recent Data Breach Leaked SSNs and Health Information

Indonesia Investigating Alleged Data Breaches at State-owned Firms

Cloud Security Bulletins

AWS 

  • AWS-2022-007

‍

DATA SECURITY THOUGHTS...

Data security thoughts...

August 23, 2022

Cisco Hacked: Ransomware Gang Claims It Has 2.8GB Of Data

August 10, 2022 

Cisco confirmed they were the victim of a ransomware gang after the stolen files were posted on the dark web. The threat actors behind the attack are Yanluowang group, who used stolen employee credentials and tricked them into accepting MFA requests. Once they gained access to the VPN they were able to move through the corporate network and install malware. The group allegedly stole 2.75 GB of data and tried to extort Cisco with the data. However, no actual ransomware was deployed.

Data Security Perspective: Organizations should ensure employees are trained in security practices to avoid credential theft or being the victim of social engineering. In addition, companies can review the permissions for employee accounts and limit access to certain material that threat actors may steal once they gain access.

120K Priority Health Members Impacted By Third-Party Data Breach

Michigan-based health insurance company Priority Health has announced they have suffered a third-party data breach. The breach may have exposed first and last names, pharmacy and claim information, drug names, and prescriptions dating back to 2012. The third-party breach occurred at a law firm, Warner Norcross and Judd, in October 2021, when the unauthorized activity occurred in their systems.  

Data Security Perspective: This incident highlights the ongoing problem of third-party breaches. When organizations rely on third parties to handle their sensitive information, they must trust that the third party will take all precautions to protect the data. 

Twitter Fixes Security Bug That Exposed At Least 5.4 Million Accounts

August 5, 2022

A security vulnerability has led to the exposure of 5.4 million Twitter accounts. The vulnerability, which Twitter claims is now fixed, allowed anyone to enter a phone number or email address of a known user to potentially identify associated Twitter accounts. While the bug was fixed in January, threat actors had already been able to exploit the vulnerability and create a database containing the phone number and email addresses of Twitter accounts, including high-profile users.

Data Security Perspective:  Affected Twitter users should take precautions to protect their accounts and be aware of attempts at phishing. In addition, other steps such as MFA should be enabled. 

Twitter API Leak Can Open Door To Building a Bot Army, CloudSEK Reports

August 1, 2022

Researchers at CloudSEK have identified over 3,000 mobile apps that are exposing developer secrets. The secrets leaked are Twitter API keys containing valid consumer keys and secrets. Whoever has these keys can perform actions as that account, including reading and writing messages, writing tweets, accessing account settings, and any other associated actions. The keys typically are leaked by developers who have left them embedded in the application. 

Data Security Perspective: Human error and accidental credential leaks are common mistakes that can lead to organizations being breached. Users should ensure secure programming practices are used, and credentials should never be released in production. 

Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive

July 19, 2022

Researchers at Palo Alto have identified a campaign conducted by Russian threat group APT29, targeting a NATO country. The campaign, which occurred in May 2022, used suspicious PDF files sent via email that contained a link to an EnvyScout payload hosted on DropBox. During a second campaign, Palo Alto observed the same threat actors using Google Drive to store data stolen by the malware. 

Data Security Perspective: As most organizations are moving to the cloud, so are threat groups. This tactic allows the group to avoid detection due to their trust in DropBox and Google Drive. Organizations should ensure employees are protected against emails containing malicious attachments.

Other News

7 Eleven Denmarks Confirms Ransomware Attack Behind Store Closures

Automotive Supplier Breached By 3 Ransomware Gangs In 2 Weeks

Phishing Attack Abuses Microsoft Azure, Google Sites To Steal Crypto

Cloudflare Employees Also Hit By Hackers Behind Twilio Breach

Kansas MSP Shuts Down Cloud Services To Fend Off Cyberattack

Cloud Security Bulletins

GCP 

  • GCP-2022-018
DATA SECURITY THOUGHTS...

Data security thoughts...

July 28, 2022

Mangatoon Data Breach Exposes Data From 23 Million Accounts

July 9, 2022

Manga platform “Mangatoon” has suffered a data breach that exposed 23 million user accounts. The breach, which occurred in May, exposed PII of users including auth tokens, email addresses, gender, names, and hashed passwords. A known threat actor stole the data by gaining access to Mangatoon’s Elasticsearch server using weak credentials. 

Data Security Perspective: This story highlights the necessity of strong credentials, as allegedly the password for the database was simply “password”. Organizations should ensure they have security policies in place to ensure strong credentials are used to avoid data breaches like this one.

From The Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts

July 18, 2022

Researchers from Sentinel One observed an expansion of the crimeware group 8220 to around 30,000 hosts. The group typically targets Linux and cloud environments through vulnerabilities or insecure configurations. Using a series of simple scripts, the victim is infected, and installs PwnRig crytomning. AWS, Azure, GCP, Alitun and GCloud are all common targets for group 8220.

Data Security Perspective: Cloud users should ensure all vulnerabilities are patched and make sure all cloud environments are properly secured. A CSPM such as Magpie can help notify users of misconfigurations in their AWS environment.

Exploiting Authentication in AWS IAM Authenticator for Kubernetes

July 11, 2022

Lightspin researcher, Gafnit Amiga, has identified another AWS vulnerability, this time in AWS IAM Authenticator for Kubernetes. The vulnerability “CVE-2022-2385” could enable a threat actor to escalate privileges in Elastic Kubernetes Service clusters by impersonating other identities. Within the IAM Authenticator for Kubernetes, a configuration to use the AccessKeyID is a line of code where the vulnerability exists. The code uses “ToLower” which a threat actor can use to send a different variable with the same name by sending as uppercase and lowercase. 

Data Security Perspective: EKS users who do not use the AccessKeyID template are protected from the vulnerability. However, users who do use the AccessKeyId template should update AWS IAM Authenticator for Kubernetes to the latest version.

California Data Breach Exposes Thousands of Gun Owners

July 2, 2022

The Firearms Dashboard, California’s gun database, experienced a data breach, exposing PII of gun owners. The Department of Justice uploaded and left publically accessible a spreadsheet containing addresses, birth dates, criminal histories, driving licenses, genders, names and races of California gun owners. The spreadsheet was taken down within 24 hours. However, the DOJ announced that other parts of the Gun database might also have been exposed. 

Data Security Perspective: This story highlights how human error can leak personal information. Organizations dealing with PII need to be careful with how the data is handled and stored. For organizations using cloud storage, a DSPM such as Open Raven can tell you where sensitive data is stored, minimizing the risk of unwanted data exposure.

Neopets Security Breach: Users’ Data Reportedly Stolen 

July 22, 2022

Virtual pet website Neopets has announced that they may have been the victim of a data breach, potentially exposing the PII of up to 69 million users. Neopets’ database and some source code appears to have been stolen by a hacker who is trying to sell the information for four bitcoins, or approximately $90,500. The stolen information includes birth dates, country, email addresses, gender, postcodes, and game information.  

Data Security Perspective: Neopets recommends that all users update their passwords. While it is unknown how the breach occurred, organizations should maintain good security practices such as enabling two-factor authentication.

Other News

Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware ⚡

More Than 4,000 Individuals’ Medical Data Left Exposed For 16 Years
Flipkart’s Cleartrip Confirms Data Breach After Hackers Put Data For Sale
UK Heat Wave Causes Google and Oracle Cloud Outages

DATA SECURITY THOUGHTS...

Data security thoughts...

July 12, 2022

Millions of Secrets Exposed via Web Application Frontend – An Internet-Wide Study

June 14, 2022

A study by RedHatLabs has shown how many secrets web applications expose. Researchers using a scanner gathered nearly 400,000 secrets out of the top one million sites. The secrets exposed include AWS secret keys, Facebook tokens, GCP API keys, reCAPTCHA keys, and Stripe tokens, the majority of which were exposed via JavaScript files. 

Data Security Perspective: This report highlights the ongoing issue of leaked developer secrets. Once these secrets are exposed, malicious actors can take them and use them for lateral movement. Users should rotate keys in addition to using a product such as Open Raven that can help discover exposed developer secrets.

12K Misconfigured Elasticsearch Buckets Ravaged by Extortionists

June 1, 2022

Researchers from SecureWorks Counter Threat Unit identified public-facing ElasticSearch databases that had been replaced with ransom notes. Over 1,200 databases were found with the ransom note due to having no authentication. The ransom note requests $620 to a BitCoin wallet. The researchers believe an automated script was most likely used to identify the databases.

Data Security Perspective: Users should ensure their cloud assets are secure by enabling authentication and other security measures such as two-factor authentication. Using a DSPM, such as Open Raven, can discover cloud assets and any misconfigurations.

Related Magpie Rules: aws-big-data-and-analytics-elasticsearch-node-to-node-encryption.yaml

Hotel Giant Marriott Confirms Yet Another Data Breach

July 6, 2022

Hotel chain Marriott confirmed that they have again been a data breach victim. The breach apparently occurred in June when threat actors used social engineering to trick an employee into giving them physical access to their computer, allowing them to steal over 20 gigabytes of data. The stolen data included sensitive information - guest credit card and employee details.

Data Security Perspective:  Organizations need to make sure to have a strong security policy in order to protect their own data, as well as customers’ PII. 

Korean Loyalty Platform Exposed Around a Million Customers’ Personal Data

July 6, 2022

Korean loyalty platform Dodo Point exposed over 38 gigabytes of customer PII through an unsecured Amazon S3 bucket. The bucket contained business data, client payment details, and customer personal data, including names, birth dates, phone numbers, and email addresses, covering a 10-year period. The exposed Amazon S3 bucket was not configured with encryption or password protection. 

Data Security Perspective: Misconfigured cloud assets are a continual problem for cloud users. It is vital for organizations to properly secure their data. Amazon S3 buckets should have encryption and authentication measures in place. A DSPM product such as Open Raven can discover data and identify where misconfigurations are occurring. 

Related Magpie Rules: aws-storage-s3-default-encryption-kms.yaml | aws-storage-s3-bucket-default-lock-enabled.yaml | aws-storage-s3-bucket-level-public-access-prohibited.yaml | aws-storage-s3-bucket-public-write-prohibited.yaml | aws-s3-best-practices.yaml

Report: Over 300k Residents in the Philippines Exposed in Covid-19 Relief Portal Leak

July 6, 2022

Researchers from VPNMentor identified a data breach involving Proud Makatizen, the official website of the city of Makati in the Philippines. The website, which originally started as a COVID-19 portal, had a misconfigured Amazon S3 bucket containing over 620,000 files totaling 39 gigabytes. The exposed data included financial information, names, nationally, medical information, and photo IDs.  

Data Security Perspective: Once again, as with the above stories, this further highlights the issue of cloud misconfigurations and the associated risks of not having proper security controls in cloud assets. 

Related Magpie Rules: aws-storage-s3-default-encryption-kms.yaml | aws-storage-s3-bucket-default-lock-enabled.yaml | aws-storage-s3-bucket-level-public-access-prohibited.yaml | aws-storage-s3-bucket-public-write-prohibited.yaml | aws-s3-best-practices.yaml

Other News

OpenSea discloses data breach, warns users of phishing attacks

Aon Hack Exposed Sensitive Information of 146,000 Customers

YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom”

Checkmate Ransomware via SMB Services Exposed to the Internet

OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow

Cloud Security Bulletins

GCP 

  • GCP-2022-016
  • GCP-2022-017
DATA SECURITY THOUGHTS...

Data security thoughts...

June 22, 2022

Public Travis CI Logs (Still) Expose Users to Cyber Attacks

June 13, 2022

Researchers at Aqua Security released research detailing how tens of thousands of user tokens were exposed via Travis CI API. By using an API call, millions of logs can be accessed in clear text. Within these logs are credentials, developer secrets, and tokens from cloud providers, including AWS, Docker Hub, and GitHub. The exposure of this information could lead to account takeover, database access, privileged access to code repos, or using the data for lateral movement within other services such as AWS S3.    

Data Security Perspective: Users should regularly rotate credentials, keys, and tokens so that in the event these are stolen, they will not be of use. Additionally, users should not print these secrets to logs as the report explains how they can be exposed inadvertently in logs. Finally, organizations should deploy a data security platform to help identify where their secrets are stored.

Turkish Based Airline’s Sensitive EFB Data Leaked

May 30, 2022

Turkish Airline Pegasus Airline has had its Electronic Flight Bag (EFB) left exposed due to an AWS S3 bucket left without password protection. The bucket, which contained almost 23 million files, included crew PII, source code, and sensitive flight information. The exposed data included flight charts and revisions, pre-flight checks, insurance documents, photos and signatures of staff, plaintext passwords, AWS secret keys, among other files. Pegasus has since secured the bucket. 

Data Security Perspective:  More and more companies are facing large data exposures, frequently due to Amazon Web Services misconfigurations. In this instance, Pegasus left their AWS S3 bucket publicly accessible due to a lack of password protection and is facing fines as a result. S3 users should ensure their buckets are configured appropriately, especially with adding password protection. The Open Raven Data Security Platform and Magpie, our open-source CSPM, can alert users to misconfigurations and other security policy violations.

Related Magpie Rules:  aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-iam-and-security-iam-attached-policies | aws-security-best-practices

SynLapse – Technical Details for Critical Azure Synapse Vulnerability

June 14, 2022

Researcher Tzah Pahima from Orca Security has discovered a vulnerability in Microsoft Azure. The vulnerability, named “SynLapse”, enables attackers to gain credentials, control other Synapse workspaces, execute code, and leak customer credentials outside of Azure. Exploiting a shell injection vulnerability leads to remote code execution in the Magnitude Simba Redshift ODBC that Microsoft’s software uses. 

Data Security Perspective: Microsoft has since implemented the changes Orca recommended, including limited API usage and using a sandboxed VM, mitigating the vulnerability. Microsoft also recommends users of Synapse workspace or Azure Data Factory should do so with a managed virtual network to provide better isolation.

Shields Health Care Group Data Breach Affects 2 Million Patients

June 7, 2022

Shields Health Care Group, a Massachusetts-based medical company, has suffered a data breach. The breach, which occurred in March 2022, was caused by malicious actors gaining access to the company’s systems. As a result, the information of 2 million patients was accessed. This information included: billing information, birth dates, home addresses, medical diagnoses, insurance numbers, and Social Security numbers, among other medical PII. 

Data Security Perspective: Affected patients should be aware of attempts to use their personal information for fraudulent purposes. Organizations should ensure their services follow security policies to avoid unauthenticated access to data, especially sensitive data.

Other News

Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat
Panchan’s Mining Rig: New Golang Peer-to-Peer Botnet Says “Hi!”
PyPI Package ‘keep’ Mistakenly Included A Password Stealer
​​Another 1.3M Patients Added To Data Breach Tally of Ransomware Attack on Eye Care Leaders
Data Breach At US Ambulance Billing Service Comstar Exposed Patients’ Healthcare Information

Cloud Security Bulletins

GCP

  • GCP-2022-015
DATA SECURITY THOUGHTS...

Data security thoughts...

May 31, 2022

PyPI Package' ctx' And PHP Library' phpass' Compromised To Steal Environment Variables

May 24, 2022

PyPI package 'ctx' has been compromised by malicious actors to steal environment variables. The package, which typically gets over 22,000 downloads a week, had its code altered to collect environment variables and send them to a C2 after base64 encoding them. In addition to the PyPI package, a fork of PHP library 'phpass' was also altered similarly to retrieve AWS developer secrets and send them to the same C2 address as the ctx package. 

Data Security Perspective: For users of ctx, older versions of the package do not contain the malicious code. However, for newer versions 0.2.2, 0.2.6, and above, users should exercise caution and can check for malicious code. For users of phpass, the package appears to have been remedied to stop the attack. 

US Charity Exposed Users' Sensitive Images

May 11, 2022

Researchers from SafetyDetectives have uncovered a misconfigured AWS S3 bucket belonging to a Pennsylvania breast cancer charity, Breastcancer.org. The bucket, which was left unsecured, contained over 150,000 files or 150GB of data. The data included user avatars, and images users have posted, including private images that include nudity for medical purposes. In addition, the EXIF data was still intact in the images which includes GPS location and device details. The exposed bucket was discovered in November 2021, and has been secured as of May 2022.

Data Security Perspective: Cloud misconfigurations pose a massive risk to organizations and can have severe consequences. Organizations should ensure security policies are followed in order to prevent data exposure. Solutions such as Open Raven or Magpie can discover and alert about exposed data, along with other security policy violations.

Related Magpie Rules:  aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-iam-and-security-iam-attached-policies | aws-security-best-practices

Wiz Research Discovers "ExtraReplica"— A Cross-Account Database Vulnerability In Azure PostgreSQL

April 28, 2022

Researchers at Wiz have discovered a vulnerability in the Microsoft Azure Database for PostgreSQL Flexible Server. The vulnerability, named "#ExtraReplica" bypasses tenant isolation enabling unauthorized read access to other PostgreSQL databases. Malicious actors could gain unauthorized access to other databases by exploiting a bug in the Flexible Server auth process that allows elevated privileges and then use an improperly anchored regex to gain access to the other database.

Data Security Perspective: Microsoft responded to the vulnerability with patches for the Flexible Server released in February 2022 and said that no customers had been affected. As noted by Wiz, this vulnerability highlights the lack of a cloud vulnerability database, similar to the CVE database, which enables users to track and respond to vulnerabilities.  

Heroku Admits To Customer Database Hack After OAuth Token Theft

May 5, 2022

After last month's security alert from Github that threat actors were stealing OAuth tokens from Heroku, and Travis-CI, Heroku announced the same stolen token was used to breach their customer database. The company announced the threat actor accessed and exfiltrated customer passwords from a customer database. Heroku initially reported that the stolen OAuth tokens could only provide threat actors to Github repositories but not to Heroku customer accounts. 

LemonDuck Targets Docker For Cryptomining Operations

April 21, 2022

Cryptomining botnet LemonDuck, has been targeting Docker to mine cryptocurrency on Linux. Exposed Docker APIs are targeted with a custom entry point downloading a disguised Bash script. The bash file then sets up a cronjob which downloads the payload and enables it to kill processes, daemons, and known network connections as well as remove other cryptominers. The payload downloads and runs XMRig cryptominer.

Data Security Perspective: The misuse of exposed Docker APIs is increasing, especially for cryptomining. Users should ensure they have the correct security configurations when using Docker. 

Medical Software Firm Fined €1.5M For Leaking Data Of 490k Patients

April 28, 2022

Medical software company Dedalus Biology has been fined 1.5 million Euros after exposing the PII of nearly 500,000 patients. The data, which came from a leaked database, included full names, genetic information, medical information such as medical conditions, and social security numbers. The leak appears to go back to March 2020, with parts of the dataset sold online in 2021. In total, Dedalus Biology was charged with three violations of GDPR, totaling 1.5 million Euros.

Data Security Perspective: Compliance is important for companies, especially those operating in Europe, as data exposure can lead to massive fines. Correct authentication and encryption are necessary for organizations, especially when handling sensitive data. 

Report: FOX Exposed Nearly 13 Million Content Management Records Online

An exposed database belonging to FOX has been discovered by security researchers from Website Planet. The database contained 58 GB of information, with nearly 13,000,000 records, including internal emails, employee ID numbers, IP addresses, host information, and cast and crew names, among other details. While it is not apparent how long the database was exposed, it has since been secured. 

Data Security Perspective: Having the correct configurations for databases and cloud resources is vital for organizations. This story highlights how even large corporations with security teams can be vulnerable to data exposure. 

Other News

Microsoft Finds New Elevation of Privilege Linux Vulnerability, Nimbuspwn

Below The Surface: Group-IB Identified 308,000 Exposed Databases In 2021

NPM Flaw Let Attackers Add Anyone As Maintainer To Malicious Packages

New Black Basta Ransomware Springs Into Action With a Dozen Breaches

Jira Vulnerability CVE-2022-0540

Cisco Umbrella Virtual Appliance Static SSH Host Key Vulnerability

Critical Argo CD Vulnerability Could Allow Attackers Admin Privileges

Rogue Cloud Users Could Sabotage Fellow Off Prem Tenants Via Critical Flux Flaw

A Closer Look At Eternity Malware

Pharmacy Giant Hit By Data Breach Affecting 3.6 Million

Highlighted Security Tool

Anchore Engine is an open-source tool that analyzes container images with user-customizable policies. In addition, Anchore also evaluates vulnerabilities in the container images. Anchor Engine can be used within multiple orchestration platforms such as Docker, Kubernetes, Amazon ECS, among others.  

Cloud Security Bulletins

GCP

  • GCP-2022-014
DATA SECURITY THOUGHTS...

Data security thoughts...

April 25, 2022

Security Alert: Attack Campaign Involving Stolen OAuth User Tokens Issued to Two Third-Party Integrators

April 19, 2022

GitHub announced findings of a campaign in which an attacker used stolen OAuth credentials to access and download data from private repos, npm, and other organizations. The OAuth tokens appear to have been stolen from third-party integrators Heroku and Travis-CI and used to access data from organizations that use Heroku and Travis-CI. In one instance, an AWS API key was stolen and used to download private npm repositories. GitHub announced that GitHub repos have not been affected by this campaign and have notified the affected companies.

Data Security Perspective: Affected customers have been and continue to be notified by GitHub. In addition, users should review what authorization they have given to which applications and revoke any unnecessary or unknown authorizations.

AWS RDS Vulnerability Leads to AWS Internal Service Credentials

April 11, 2022

A researcher at Lightspin discovered a vulnerability in Amazon Relational Database Service (RDS). The vulnerability allows AWS credentials to be accessed by exploiting a local file read vulnerability using a Postgres extension. Using the RDS superuser role, a validation function can then be dropped allowing for a successful path traversal. This then leads to the exposure of temporary credentials for an AWS internal role, and subsequently the discovery of the internal service.

‍Data Security Perspective: AWS released a patch for the vulnerability and fixed all currently supported versions. AWS also confirmed that the vulnerability was not exploited by any other actors.

Cado Discovers Denonia: The First Malware Specifically Targeting Lambda

April 6, 2022

Researchers at Cado Security have identified what is being described as the first malware targeting AWS Lambda. The malware, named “Denonia”, is written in Go and appears to be designed to execute within Lambda, specifically to deploy a custom XMRig crypto miner. The method used to deploy the binary is currently unknown. However, the researchers speculate it may be due to compromised AWS secrets.

Data Security Perspective: While the impact of Denonia appears to be limited, the use of Lambda demonstrates threat actors expanding into various cloud environments. While the use of stolen AWS credentials is unconfirmed, unauthorized use of Lambda functions could prove costly for organizations. In the event of stolen AWS credentials, users should immediately delete or disable the credentials.

Over 8 Million Cash App Users Potentially Exposed In A Data Breach After A Former Employee Downloaded Customer Information

April 14, 2022

A data breach occurred in Cash App after a former employee accessed and downloaded customer data. The breach, which happened in December 2021, has affected over eight million users and involved a former employee who accessed customer data. How the employee accessed, the data has not yet been revealed. Presumably, they still had access to an account that was not deactivated. 

Data Security Perspective: Former employees having access to company information after leaving is a massive security risk that is being seen in more data breaches. Companies need to ensure proper offboarding takes place to avoid unauthorized access. In addition, companies can use a product such as Magpie or Open Raven to identify who has access and to which data.

Related Magpie Rules: aws-iam-and-security-ensure-no-stale-roles-with-inline-policies-for-s3-access | aws-iam-and-security-iam-user-unused-credentials-check | aws-storage-s3-bucket-cloudtrail-logs | aws-storage-s3-bucket-logging-enabled

Other News

Git Security Vulnerabilities Prompt Updates

Cloud Native Technologies Used In Russia-Ukraine Cyber Attacks

LockBit Ransomware Gang Lurked In A U.S. Gov Network For Months

Large-scale npm Attack Targets Azure Developers With Malicious Packages

‍

Highlighted Security Tool

Kubesec is an open source security scanner for Kubernetes. The tool scans your resource YAML file to return a score based on how secure your containers are, and identifies any vulnerabilities.

Cloud Security Bulletins

AWS

  • AWS-2022-005
  • AWS-2022-004

GCP

  • GCP-2022-012
  • GCP-2022-013

‍

DATA SECURITY THOUGHTS...

Data security thoughts...

April 7, 2022

New Spring Java Framework Zero-Day Allows Remote Code Execution

March 30, 2022

‍A zero-day vulnerability has been found in the Spring Core Java Framework. The vulnerability “Spring4Shell” or “CVE-2022-22965” allows for remote code execution due to a bypass for “CVE-2020-1622”, a vulnerability in Java Beans API. For a malicious actor to exploit Spring4Shell, a simple HTTP request to a vulnerable system with DataBinder enabled, and an appropriate payload based on configuration is required. Microsoft released research detailing how an attacker can change the AccessLogValue class to create a .jsp containing a web shell based on the specified parameters that can then be used to execute commands from the attacker. 

‍Data Security Perspective: Users are encouraged to update Spring Framework versions 5.3.18 and 5.2.20. Other workarounds include upgrading Tomcat, downgrading to Java 8, or setting “disallowedFields” on WebDataBinder globally. While there are multiple conditions required to exploit this vulnerability, there are reports of it being exploited in the wild. Users should immediately seek to prevent exploitation. 

Stop Neglecting Your Cloud Security Features: Check Point Research Found Thousands of Open Cloud Databases Exposing Data In The Wild

March 15, 2022

Researchers at Check Point have identified over 2,000 insecure Firebase databases. Many of the exposed application databases have millions of downloads and expose customer data, including bank information, location, health data, phone numbers, and private keys, among other sensitive data. The applications had previously been uploaded to VirusTotal, an anti-virus repository, with the insecure data available for anyone who comes across it. 

Data Security Perspective: While cloud misconfigurations can be seen as a simple security issue, many organizations are continuing to have damages occur from databases that are improperly secured. Properly configuring data stores is incredibly important, especially when handling sensitive and customer data, as leaks can be expensive. The exposure of databases can be utilized by attackers for malicious purposes such as modifying the content for extortion.

Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices | gcp-storage-cloud-bucket-public-access

Cr8escape: New Vulnerability in CRI-O Container Engine Discovered By Crowdstrike (CVE-2022-0811)

March 15, 2022

A vulnerability in Kubernetes container engine, CRI-O, has been identified by security researchers at Crowdstrike. Named “cr8escape”, or “CVE-2022-0811” is a high severity flaw that, if exploited, could enable a malicious actor to gain root access and have control over a Kubernetes pod. With access to a pod, an attacker could host malware, exfiltrate data, or use for privilege escalation. 

Data Security Perspective: Users of Kubernetes CRI-O should immediately update to the most recent version. In addition, OpenShift 4+ and Oracle Container Engine for Kubernetes use CRI-O may also be vulnerable. 

‘Dirty Pipe’ Linux Vulnerability Discovered

March 7, 2022

A Linux vulnerability was discovered by security researcher Max Kellerman that enables data to be overwritten in arbitrary read-only files. The vulnerability, designated “CVE-2022-0847” affects Linux Kernel versions 5.8 and over, although it was patched in later versions. To enable an attacker to exploit the vulnerability, they will need read permissions and other conditions and carry out a series of movements of data within a pipe. All together not highly complicated. The read permissions are essential as they are necessary for the splice() function to write to the pipe from the target file. However, write permissions are not needed. An attacker can exploit this vulnerability to elevate privileges, which can be used as part of an attack such as escaping a container.  

Data Security Perspective: Any vulnerability that enables threat actors to have elevated privileges is always high risk, as it can typically be used to gain access to other systems depending on their intent. If an attacker were to exploit this vulnerability, all of the target’s systems would be under their control, including their data. Linux users are urged to immediately update their kernel version. 

Ex CafePress Owner Fined $500,000 For 'Shoddy' Security, Covering Up Data Breach

March 17, 2022

The former owner of CafePress, an e-commerce platform, has been fined $500,000 due to how they mishandled security, particularly in relation to customer data. The Federal Trade Commission (FTC) outlined how the company failed to secure sensitive customer data, was unable to prevent data breaches in addition to attempting to hide serious breaches. Improperly secured data included customer PII including cleartext password reset answers, partial card payment, phone numbers, and unencrypted Social Security numbers. This data was then posted for sale online, with CafePress still not patching the vulnerability that enabled the exfiltration until months later.

Data Security Perspective: While many of the issues in this story were due to malpractice on the part of CafePress, it is important that all organizations have visibility into sensitive data locations. As highlighted by this story, data breaches are expensive for companies. 

Other News

Unsecured Microsoft SQL, MySQL Servers Hit By Gh0stCringe Malware

BIG sabotage: Famous npm Package Deletes Files to Protest Ukraine War

KrisShop Falls Prey to Data Breach, Nearly 5k Customer Accounts Impacted 

Facebook Fined $18.6M Over String Of 2018 Breaches of EU’s GDPR

Useful Tools

Previous newsletters covered recent Linux vulnerabilities. We thought we would highlight a useful open source tool called Lynis. Lynis can be used to scan UNIX-based systems to identify vulnerabilities. Lynis also supports penetration testing, auditing, compliance, and system hardening projects..

Cloud Security Bulletins

AWS

  • CVE-2022-0778

GCP

  • GCP-2022-011
  • GCP-2022-010 (high severity)
  • GCP-2022-009
DATA SECURITY THOUGHTS...

Data security thoughts...

March 11, 2022

From The Editor‍

Welcome, and thanks for reading. In our second issue, we explore the data security impact of two newly discovered vulnerabilities and review recent data breaches in AWS and Azure. If you have feedback or suggestions, send a note to hello@openraven.com.‍

New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?‍

March 3, 2022

In February, Linux announced a high-severity privilege escalation vulnerability designated "CVE-2022-0492". Researchers at Unit42 identified how this vulnerability can be exploited to potentially escape containers. Control groups (cgroups) are a Linux kernel feature used to allocate and limit resources containing a release_agent file. The vulnerability exists in this file, and if notify_on_release is enabled, a full permissions binary runs. However, the file is not checked for admin privileges which is the vulnerability. The exploitation of this vulnerability depends on circumstances such as security modules and profiles in use. In the right situations, the vulnerability can be used to escalate privileges for malicious purposes.‍

Data Security Perspective:  All Linux users should immediately upgrade to the latest available version(s). Should an attacker exploit this vulnerability, they can gain access to sensitive data, gather system information and establish persistence. In addition, users should follow best security practices, including enabling Linux security modules such as Seccomp, SELinux, and AppArmor. As the vulnerability exists in the Linux kernel, all distributions are at risk and should follow security advisories for their distro. Users of AWS, GCP, and Kubernetes should enable Seccomp to restrict container privileges. ‍

AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service‍

March 7, 2022‍

Researchers at Orca Security identified a critical vulnerability in the Microsoft Azure Automation Service. The vulnerability, named "AutoWrap," enables access to Managed Identity tokens for other user accounts, which can then grant full access to resources and data. Orca Researcher Yaniv Tsarimi wrote a simple Python script to make HTTP requests to a range of ports, retrieving other users' identity endpoints, including those in several large companies.   

‍Data Security Perspective: AutoWarp demonstrates how vulnerabilities can exist in systems often trusted to be secure. Malicious actors can exploit the flaw to gain complete control of resources and data and elevate privileges. Microsoft patched the vulnerability and has not identified any token misuse. In addition, Azure Automation users are encouraged to follow best practices.‍

Luxury Children's Fashion E-Commerce Site Exposes Customers Worldwide‍

February 21, 2022‍

The security team at SafetyDetectives discovered a breach affecting French fashion retailer Melijoe. Melijoe had a misconfigured S3 bucket that exposed roughly 200 GB of data. The data contained customer PII including addresses, birth dates, email addresses, gender, children's names, payment information, and past purchases. Melijoe uploaded data to the unsecured bucket from October 2016 until November 2021, when SafetyDetectives notified the company of the exposure. ‍

Data Security Perspective: Misconfigured S3 buckets are a common cause of data exposures. In this instance, Melijoe left their AWS S3 bucket publicly accessible due to a lack of password protection. S3 users should ensure buckets are configured with appropriate password protection. The Open Raven Data Security Platform and Magpie, our open-source CSPM, can alert users to misconfigurations and other security policy violations.‍

Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices‍

Internet Society Data Leak Exposed 80,000 Members' Login Details‍

February 18, 2022

The Internet Society (ISOC), a non-profit organization, announced a data leak due to a third-party vendor. Security researchers at Clario identified the exposed data after discovering a misconfigured Azure blob repository. The repository was publicly accessible and contained PII of members, including addresses, email addresses, login credentials, and names. The Internet Society stated that there is no evidence of any malicious actors accessing the information.  ‍

Other News‍

Duncan Regional Hospital data breach impacts 92K‍

Cookware giant Meyer discloses cyberattack that impacted employees‍

Did You Know

‍….that well thought out, and well-maintained dataclasses are vital to any data classification software? Or that human data is one of the most difficult to match? In our latest article, Introduction to Regex Based Data Classification for the Cloud, you can learn everything you need to know about writing and developing dataclasses.

DATA SECURITY THOUGHTS...

Data security thoughts...

February 22, 2022

From the editor:‍

Welcome to our first issue. Thanks for reading. This week, we explore several recent data leaks and breaches, provide links to new Magpie rules that help close data security gaps, and provide a helpful tip about using NAT gateways in AWS VPCs. We'll add new sections and topics over time. If you have feedback or suggestions, send a note to hello@openraven.com.‍

Malicious Kubernetes Helm Charts Can Be Used To Steal Sensitive Information From Argo CD Developments‍

February 3, 2022‍‍

‍Security Researchers at Apiiro have identified a zero-day vulnerability in Argo CD. Argo CD (Continuous Delivery) is a popular continuous delivery platform. The vulnerability, designated “CVE-2022-24348”, can allow a malicious actor to access API keys, passwords, secrets, tokens, among other sensitive information, which can be utilized in further attacks for privilege escalation and lateral movement. ‍

Data Security Perspective: Users of Argo CD are urged to immediately apply the patch for this vulnerability that has been released for multiple versions.‍

British Council Data Breach Leaks 10,000 Student Records‍

February 3, 2022‍

Security Researchers from Clario have identified a data breach that has exposed over 10,000 student records held by the British Council. The data, which included study durations, enrollment dates, email addresses, full names, and student IDs was held on an open Microsoft Azure blob repository. The blob container contained more than 144,000 files, according to researchers.‍

Data Security Perspective: Affected users should be aware of attempts to use the stolen personal information for fraudulent purposes. Organizations should ensure their services follow security policies to avoid unauthenticated access to data, especially sensitive data.‍

Telco Fined €9 Million For Hiding Cyberattack Impact From Customers‍

February 1, 2022‍

Hellenic Telecommunications Organization (OTE) have been fined €9 million related to sensitive customer information leaking from a breach. OTE Group is the largest technology company in Greece providing telecom services. The company was breached in 2020 and a threat actor stole 48GB of data that included age, gender, positional data, and plan information. ‍

Data Security Perspective: Data breaches are increasingly common and highly costly issues facing organizations. Open Raven identifies where sensitive data is stored and isn’t adequately protected. Products such as Open Raven, or Magpie, can discover and alert to exposed data, along with other security policy violations and prevent expensive data leaks.‍

Unsecured AWS Server Exposed 3TB In Airport Employee Records‍

January 31, 2022‍

An unsecured AWS S3 bucket exposed over one million files containing sensitive data. The data contained information related to employees of airports across Colombia and Peru and was stored in a bucket owned by security company Securitas. The exposed information included occupations, ID photos, names, PII, and airport information regarding planes, GPS, luggage handling, and fueling lines.‍

Data Security Perspective:  Cloud misconfigurations pose a massive risk to organizations and can have severe consequences. Organizations should ensure security policies are followed in order to prevent data exposure. Solutions such as Open Raven or Magpie can discover and alert about exposed data, along with other security policy violations.‍

Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-iam-and-security-iam-attached-policies | aws-security-best-practices‍

New Docker Cryptojacking Attempts Detected Over 2021 End-of-Year Holidays‍

January 27, 2022

Misconfigured Docker APIs have become a popular target with threat actors to mine cryptocurrency. Researchers at CrowdStrike have recently observed a crypto mining operation that targets exposed Docker APIs to deploy a Monero miner. A series of bash scripts are used to stop containers, run xmrig, and scan IP ranges. Many groups have been taking advantage of Docker’s misconfigurations, including Kissing, TeamTNT, and WatchDog.‍

Data Security Perspective: Docker users should ensure they correctly configure their containers. Additionally, users should only use images from trusted sources.‍

Did You Know?‍

....the default NAT gateway timeout in an AWS VPC is 5 minutes and 50 seconds? If you’re running Kubernetes (K8s) infrastructure in an AWS VPC through a NAT gateway check out our blog post to learn more.

DATA SECURITY THOUGHTS...

Data security thoughts...

Open Raven Research logo in white
Share your email with us & we'll send you a free Open Raven Research swag kit!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Open Raven Research
Magpie
Mockingbird
Github
Slack Community
Open Raven
About
Careers
Twitter
Get FREE Open Raven Research SwagExternal arrow icon; white
www.openraven.com
®2022 Open Raven
Terms and ConditionsPrivacy PolicySecurity Policy