Open Raven Data Security Newsletter
💻 Linux Version of AvosLocker Ransomware Targets VMware Servers
10/01/22
Ransomware gang, AvosLocker, have added Linux systems to their list of targets. The group have been observed targeting VMware ESXi virtual machines, with one victim being hit with a one million dollar demand. The attack terminates all ESXi VMs, encrypts files and drops a ransom note.
Data Security Perspective: Users should take preventative measures to ensure they are not infected with malware, and should employ a ransomware backup strategy in the event of an infection. Open Raven can help recover from ransomware by automatically identifying critical data and resources, providing a fast recovery from backups.
☁️ Insecure Amazon S3 Bucket Exposed Personal Data on 500,000 Ghanian Graduates
06/01/22
Researchers at vpnMentor have discovered an exposed AWS (Amazon Web Service) S3 bucket containing personal data related to Ghana’s National Service Secretariate (NSS). The data, which is comprised of three million files includes PII such as employment records, ID cards, names, residences and passport photos. The breach appears to have occurred from a misconfiguration, with the bucket being neither encrypted nor password protected, leaving it to be exposed for nearly four years.
Data Security Perspective: Cloud misconfigurations pose a massive risk to organizations, and can have massive consequences. Organizations should ensure security policies are followed in order to prevent data exposure. Using a product such as Open Raven, or magpie can discover and alert to exposed data, along with other security policy violations.
Related Magpie Rules: opnrvn-r-22 | opnrvn-r-52 | opnrvn-r-54 | opnrvn-r-151
💳 FlexBooker Discloses Data Breach, Over 3.7 Million Accounts Impacted
06/01/22
Appointment scheduling service, FlexBooker, has been breached with data from over three million accounts stolen. The threat actor behind the breach, Uawrongteam, are trading the stolen information on a hacking forum. The information stolen from FlexBooker’s AWS server, includes PII (Personally Identifiable Information) such as email addresses, partial credit card data, phone numbers, hashed passwords and password salt.
Data Security Perspective: While it is unclear how the FlexBooker breach occurred, it is exceedingly important for organizations to handle sensitive information properly. Knowing where sensitive data is stored is fundamental, as outlined here.
Related Magpie Rules: opnrvn-r-1
💊 US Online Pharmacy Ravkoo Links Data Breach to AWS Portal Incident
06/01/22
Online Pharmacy Ravkoo has been victim of a data breach, after having the company’s cloud prescription portal compromised. The portal hosted on AWS, contained personal information including health and prescription information and may have been compromised. While unconfirmed, the threat actor behind the attack claims all the data was available through a hidden admin panel that every user can log in to.
Data Security Perspective: Affected users should be aware of attempts to use the stolen personal information for fraudulent purposes. Organizations should ensure their services are managed following security policies to avoid unauthenticated access to data, especially sensitive data.
🎮 SEGA’s Sloppy Security Confession: Exposed AWS S3 Bucket Offers Up Steam API Access & More
04/01/22
Gaming company, SEGA have disclosed a large list of exposed data they recently discovered. During a security audit, the company found they were storing sensitive data in an insecure AWS S3 bucket, containing API keys, cloud systems, messaging systems and user data. While the data doesn’t appear to have been accessed, the consequences of threat actors gaining access to this data could have been highly detrimental.
Data Security Perspective: Organizations need to make sure they follow cloud security practices, in order to prevent their data being compromised. Open Raven automatically discovers data and notifies where data is improperly configured.
Related Magpie Rules: opnrvn-r-52
🎶 On This Day…
On this day in 2008 Basshunter - Now Your Gone was number 1 in the UK. Mycket bra!
test
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus condimentum vitae ante placerat varius. Praesent sollicitudin eros massa. Phasellus laoreet augue quam. Etiam suscipit arcu in sapien ornare, in auctor risus auctor. In malesuada sed mauris ac elementum. Integer efficitur tincidunt tortor, feugiat porta diam tincidunt eu. Nulla vel sollicitudin ex, id lobortis mauris. In diam mauris, dictum eu sem in, tempor ultrices orci. Morbi laoreet semper diam, vitae suscipit leo ultrices vel. Curabitur tempor dui justo, vel laoreet libero suscipit scelerisque. Curabitur ut nisl velit. Aenean a molestie lacus, eget condimentum metus. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Vivamus eget venenatis felis, condimentum viverra tellus. Nam cursus nibh ac consectetur euismod.
Vestibulum id vulputate felis. Morbi scelerisque ex orci, a dapibus metus malesuada sit amet. Morbi porttitor, enim nec ultrices aliquam, risus dui cursus tortor, ac tincidunt orci felis nec massa. Etiam odio eros, scelerisque eu dolor vel, euismod ultricies felis. Sed lacus nunc, convallis id leo eu, venenatis sagittis mi. Nam consequat, ante nec rhoncus facilisis, leo risus pulvinar metus, at facilisis lorem augue ut velit. Nulla consequat elit augue, a pulvinar sem interdum non. Nulla risus ligula, efficitur et massa eget, laoreet ullamcorper libero. Nullam et odio finibus, varius enim quis, mollis eros.
Suspendisse augue quam, laoreet eget aliquet non, finibus at risus. Aenean sit amet fringilla massa. Aliquam aliquam eros et eros aliquam tincidunt. Etiam at volutpat dolor. Vestibulum facilisis velit ut lectus facilisis vehicula. Vestibulum scelerisque massa in dui scelerisque, sed semper mauris pellentesque. Fusce mattis enim et convallis vulputate. Vestibulum odio justo, ultrices id semper vitae, convallis eu urna. Quisque pretium purus tempor arcu blandit venenatis.
Nunc pulvinar augue non risus ultricies, sit amet elementum odio tempus. Fusce mattis feugiat commodo. Phasellus aliquam turpis laoreet, luctus eros eleifend, convallis quam. Sed non gravida urna. Phasellus vitae libero rutrum, porttitor est nec, interdum nisi. Sed accumsan sagittis leo quis congue. Proin vehicula rhoncus tellus, ac ullamcorper nulla tristique in. In sodales volutpat ultrices. Quisque ac lobortis nisi, ac feugiat metus. Quisque sit amet consectetur leo. Interdum et malesuada fames ac ante ipsum primis in faucibus. Proin ac ante blandit, eleifend sem vel, euismod orci. Phasellus enim leo, imperdiet semper tincidunt in, fringilla ac neque. Sed finibus mi sed bibendum condimentum. Mauris lobortis, nisl eu vehicula porta, ligula arcu blandit dolor, et sodales diam orci et mi. Aliquam tristique diam vel leo tincidunt congue.
Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Aenean sem lectus, varius vitae efficitur quis, eleifend et erat. Nulla ut risus sit amet sapien dignissim interdum non quis urna. Nulla viverra ligula justo, vitae sollicitudin urna fermentum sed. Vivamus ut dictum massa. Duis vulputate mauris quis sem aliquam efficitur. Integer iaculis eget metus vitae iaculis. Nulla viverra molestie metus sit amet volutpat.
Security Alert: Attack Campaign Involving Stolen OAuth User Tokens Issued to Two Third-Party Integrators
April 19, 2022
GitHub announced findings of a campaign in which an attacker used stolen OAuth credentials to access and download data from private repos, npm, and other organizations. The OAuth tokens appear to have been stolen from third-party integrators Heroku and Travis-CI and used to access data from organizations that use Heroku and Travis-CI. In one instance, an AWS API key was stolen and used to download private npm repositories. GitHub announced that GitHub repos have not been affected by this campaign and have notified the affected companies.
Data Security Perspective: Affected customers have been and continue to be notified by GitHub. In addition, users should review what authorization they have given to which applications and revoke any unnecessary or unknown authorizations.
AWS RDS Vulnerability Leads to AWS Internal Service Credentials
April 11, 2022
A researcher at Lightspin discovered a vulnerability in Amazon Relational Database Service (RDS). The vulnerability allows AWS credentials to be accessed by exploiting a local file read vulnerability using a Postgres extension. Using the RDS superuser role, a validation function can then be dropped allowing for a successful path traversal. This then leads to the exposure of temporary credentials for an AWS internal role, and subsequently the discovery of the internal service.
Data Security Perspective: AWS released a patch for the vulnerability and fixed all currently supported versions. AWS also confirmed that the vulnerability was not exploited by any other actors.
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda
April 6, 2022
Researchers at Cado Security have identified what is being described as the first malware targeting AWS Lambda. The malware, named “Denonia”, is written in Go and appears to be designed to execute within Lambda, specifically to deploy a custom XMRig crypto miner. The method used to deploy the binary is currently unknown. However, the researchers speculate it may be due to compromised AWS secrets.
Data Security Perspective: While the impact of Denonia appears to be limited, the use of Lambda demonstrates threat actors expanding into various cloud environments. While the use of stolen AWS credentials is unconfirmed, unauthorized use of Lambda functions could prove costly for organizations. In the event of stolen AWS credentials, users should immediately delete or disable the credentials.
Over 8 Million Cash App Users Potentially Exposed In A Data Breach After A Former Employee Downloaded Customer Information
April 14, 2022
A data breach occurred in Cash App after a former employee accessed and downloaded customer data. The breach, which happened in December 2021, has affected over eight million users and involved a former employee who accessed customer data. How the employee accessed, the data has not yet been revealed. Presumably, they still had access to an account that was not deactivated.
Data Security Perspective: Former employees having access to company information after leaving is a massive security risk that is being seen in more data breaches. Companies need to ensure proper offboarding takes place to avoid unauthorized access. In addition, companies can use a product such as Magpie or Open Raven to identify who has access and to which data.
Related Magpie Rules: aws-iam-and-security-ensure-no-stale-roles-with-inline-policies-for-s3-access | aws-iam-and-security-iam-user-unused-credentials-check | aws-storage-s3-bucket-cloudtrail-logs | aws-storage-s3-bucket-logging-enabled
Other News
Git Security Vulnerabilities Prompt Updates
Cloud Native Technologies Used In Russia-Ukraine Cyber Attacks
LockBit Ransomware Gang Lurked In A U.S. Gov Network For Months
Large-scale npm Attack Targets Azure Developers With Malicious Packages
Highlighted Security Tool
Kubesec is an open source security scanner for Kubernetes. The tool scans your resource YAML file to return a score based on how secure your containers are, and identifies any vulnerabilities.
Cloud Security Bulletins
AWS
GCP
Data security thoughts...
New Spring Java Framework Zero-Day Allows Remote Code Execution
March 30, 2022
A zero-day vulnerability has been found in the Spring Core Java Framework. The vulnerability “Spring4Shell” or “CVE-2022-22965” allows for remote code execution due to a bypass for “CVE-2020-1622”, a vulnerability in Java Beans API. For a malicious actor to exploit Spring4Shell, a simple HTTP request to a vulnerable system with DataBinder enabled, and an appropriate payload based on configuration is required. Microsoft released research detailing how an attacker can change the AccessLogValue class to create a .jsp containing a web shell based on the specified parameters that can then be used to execute commands from the attacker.
Data Security Perspective: Users are encouraged to update Spring Framework versions 5.3.18 and 5.2.20. Other workarounds include upgrading Tomcat, downgrading to Java 8, or setting “disallowedFields” on WebDataBinder globally. While there are multiple conditions required to exploit this vulnerability, there are reports of it being exploited in the wild. Users should immediately seek to prevent exploitation.
Stop Neglecting Your Cloud Security Features: Check Point Research Found Thousands of Open Cloud Databases Exposing Data In The Wild
March 15, 2022
Researchers at Check Point have identified over 2,000 insecure Firebase databases. Many of the exposed application databases have millions of downloads and expose customer data, including bank information, location, health data, phone numbers, and private keys, among other sensitive data. The applications had previously been uploaded to VirusTotal, an anti-virus repository, with the insecure data available for anyone who comes across it.
Data Security Perspective: While cloud misconfigurations can be seen as a simple security issue, many organizations are continuing to have damages occur from databases that are improperly secured. Properly configuring data stores is incredibly important, especially when handling sensitive and customer data, as leaks can be expensive. The exposure of databases can be utilized by attackers for malicious purposes such as modifying the content for extortion.
Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices | gcp-storage-cloud-bucket-public-access
Cr8escape: New Vulnerability in CRI-O Container Engine Discovered By Crowdstrike (CVE-2022-0811)
March 15, 2022
A vulnerability in Kubernetes container engine, CRI-O, has been identified by security researchers at Crowdstrike. Named “cr8escape”, or “CVE-2022-0811” is a high severity flaw that, if exploited, could enable a malicious actor to gain root access and have control over a Kubernetes pod. With access to a pod, an attacker could host malware, exfiltrate data, or use for privilege escalation.
Data Security Perspective: Users of Kubernetes CRI-O should immediately update to the most recent version. In addition, OpenShift 4+ and Oracle Container Engine for Kubernetes use CRI-O may also be vulnerable.
‘Dirty Pipe’ Linux Vulnerability Discovered
March 7, 2022
A Linux vulnerability was discovered by security researcher Max Kellerman that enables data to be overwritten in arbitrary read-only files. The vulnerability, designated “CVE-2022-0847” affects Linux Kernel versions 5.8 and over, although it was patched in later versions. To enable an attacker to exploit the vulnerability, they will need read permissions and other conditions and carry out a series of movements of data within a pipe. All together not highly complicated. The read permissions are essential as they are necessary for the splice() function to write to the pipe from the target file. However, write permissions are not needed. An attacker can exploit this vulnerability to elevate privileges, which can be used as part of an attack such as escaping a container.
Data Security Perspective: Any vulnerability that enables threat actors to have elevated privileges is always high risk, as it can typically be used to gain access to other systems depending on their intent. If an attacker were to exploit this vulnerability, all of the target’s systems would be under their control, including their data. Linux users are urged to immediately update their kernel version.
Ex CafePress Owner Fined $500,000 For 'Shoddy' Security, Covering Up Data Breach
March 17, 2022
The former owner of CafePress, an e-commerce platform, has been fined $500,000 due to how they mishandled security, particularly in relation to customer data. The Federal Trade Commission (FTC) outlined how the company failed to secure sensitive customer data, was unable to prevent data breaches in addition to attempting to hide serious breaches. Improperly secured data included customer PII including cleartext password reset answers, partial card payment, phone numbers, and unencrypted Social Security numbers. This data was then posted for sale online, with CafePress still not patching the vulnerability that enabled the exfiltration until months later.
Data Security Perspective: While many of the issues in this story were due to malpractice on the part of CafePress, it is important that all organizations have visibility into sensitive data locations. As highlighted by this story, data breaches are expensive for companies.
Other News
Unsecured Microsoft SQL, MySQL Servers Hit By Gh0stCringe Malware
BIG sabotage: Famous npm Package Deletes Files to Protest Ukraine War
KrisShop Falls Prey to Data Breach, Nearly 5k Customer Accounts Impacted
Facebook Fined $18.6M Over String Of 2018 Breaches of EU’s GDPR
Useful Tools
Previous newsletters covered recent Linux vulnerabilities. We thought we would highlight a useful open source tool called Lynis. Lynis can be used to scan UNIX-based systems to identify vulnerabilities. Lynis also supports penetration testing, auditing, compliance, and system hardening projects..
Cloud Security Bulletins
AWS
GCP
- GCP-2022-011
- GCP-2022-010 (high severity)
- GCP-2022-009
Data security thoughts...
From The Editor
Welcome, and thanks for reading. In our second issue, we explore the data security impact of two newly discovered vulnerabilities and review recent data breaches in AWS and Azure. If you have feedback or suggestions, send a note to hello@openraven.com.
New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?
March 3, 2022
In February, Linux announced a high-severity privilege escalation vulnerability designated "CVE-2022-0492". Researchers at Unit42 identified how this vulnerability can be exploited to potentially escape containers. Control groups (cgroups) are a Linux kernel feature used to allocate and limit resources containing a release_agent file. The vulnerability exists in this file, and if notify_on_release is enabled, a full permissions binary runs. However, the file is not checked for admin privileges which is the vulnerability. The exploitation of this vulnerability depends on circumstances such as security modules and profiles in use. In the right situations, the vulnerability can be used to escalate privileges for malicious purposes.
Data Security Perspective: All Linux users should immediately upgrade to the latest available version(s). Should an attacker exploit this vulnerability, they can gain access to sensitive data, gather system information and establish persistence. In addition, users should follow best security practices, including enabling Linux security modules such as Seccomp, SELinux, and AppArmor. As the vulnerability exists in the Linux kernel, all distributions are at risk and should follow security advisories for their distro. Users of AWS, GCP, and Kubernetes should enable Seccomp to restrict container privileges.
AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service
March 7, 2022
Researchers at Orca Security identified a critical vulnerability in the Microsoft Azure Automation Service. The vulnerability, named "AutoWrap," enables access to Managed Identity tokens for other user accounts, which can then grant full access to resources and data. Orca Researcher Yaniv Tsarimi wrote a simple Python script to make HTTP requests to a range of ports, retrieving other users' identity endpoints, including those in several large companies.
Data Security Perspective: AutoWarp demonstrates how vulnerabilities can exist in systems often trusted to be secure. Malicious actors can exploit the flaw to gain complete control of resources and data and elevate privileges. Microsoft patched the vulnerability and has not identified any token misuse. In addition, Azure Automation users are encouraged to follow best practices.
Luxury Children's Fashion E-Commerce Site Exposes Customers Worldwide
February 21, 2022
The security team at SafetyDetectives discovered a breach affecting French fashion retailer Melijoe. Melijoe had a misconfigured S3 bucket that exposed roughly 200 GB of data. The data contained customer PII including addresses, birth dates, email addresses, gender, children's names, payment information, and past purchases. Melijoe uploaded data to the unsecured bucket from October 2016 until November 2021, when SafetyDetectives notified the company of the exposure.
Data Security Perspective: Misconfigured S3 buckets are a common cause of data exposures. In this instance, Melijoe left their AWS S3 bucket publicly accessible due to a lack of password protection. S3 users should ensure buckets are configured with appropriate password protection. The Open Raven Data Security Platform and Magpie, our open-source CSPM, can alert users to misconfigurations and other security policy violations.
Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices
Internet Society Data Leak Exposed 80,000 Members' Login Details
February 18, 2022
The Internet Society (ISOC), a non-profit organization, announced a data leak due to a third-party vendor. Security researchers at Clario identified the exposed data after discovering a misconfigured Azure blob repository. The repository was publicly accessible and contained PII of members, including addresses, email addresses, login credentials, and names. The Internet Society stated that there is no evidence of any malicious actors accessing the information.
Other News
Duncan Regional Hospital data breach impacts 92K
Cookware giant Meyer discloses cyberattack that impacted employees
Did You Know
….that well thought out, and well-maintained dataclasses are vital to any data classification software? Or that human data is one of the most difficult to match? In our latest article, Introduction to Regex Based Data Classification for the Cloud, you can learn everything you need to know about writing and developing dataclasses.
Data security thoughts...
From the editor:
Welcome to our first issue. Thanks for reading. This week, we explore several recent data leaks and breaches, provide links to new Magpie rules that help close data security gaps, and provide a helpful tip about using NAT gateways in AWS VPCs. We'll add new sections and topics over time. If you have feedback or suggestions, send a note to hello@openraven.com.
Malicious Kubernetes Helm Charts Can Be Used To Steal Sensitive Information From Argo CD Developments
February 3, 2022
Security Researchers at Apiiro have identified a zero-day vulnerability in Argo CD. Argo CD (Continuous Delivery) is a popular continuous delivery platform. The vulnerability, designated “CVE-2022-24348”, can allow a malicious actor to access API keys, passwords, secrets, tokens, among other sensitive information, which can be utilized in further attacks for privilege escalation and lateral movement.
Data Security Perspective: Users of Argo CD are urged to immediately apply the patch for this vulnerability that has been released for multiple versions.
British Council Data Breach Leaks 10,000 Student Records
February 3, 2022
Security Researchers from Clario have identified a data breach that has exposed over 10,000 student records held by the British Council. The data, which included study durations, enrollment dates, email addresses, full names, and student IDs was held on an open Microsoft Azure blob repository. The blob container contained more than 144,000 files, according to researchers.
Data Security Perspective: Affected users should be aware of attempts to use the stolen personal information for fraudulent purposes. Organizations should ensure their services follow security policies to avoid unauthenticated access to data, especially sensitive data.
Telco Fined €9 Million For Hiding Cyberattack Impact From Customers
February 1, 2022
Hellenic Telecommunications Organization (OTE) have been fined €9 million related to sensitive customer information leaking from a breach. OTE Group is the largest technology company in Greece providing telecom services. The company was breached in 2020 and a threat actor stole 48GB of data that included age, gender, positional data, and plan information.
Data Security Perspective: Data breaches are increasingly common and highly costly issues facing organizations. Open Raven identifies where sensitive data is stored and isn’t adequately protected. Products such as Open Raven, or Magpie, can discover and alert to exposed data, along with other security policy violations and prevent expensive data leaks.
Unsecured AWS Server Exposed 3TB In Airport Employee Records
January 31, 2022
An unsecured AWS S3 bucket exposed over one million files containing sensitive data. The data contained information related to employees of airports across Colombia and Peru and was stored in a bucket owned by security company Securitas. The exposed information included occupations, ID photos, names, PII, and airport information regarding planes, GPS, luggage handling, and fueling lines.
Data Security Perspective: Cloud misconfigurations pose a massive risk to organizations and can have severe consequences. Organizations should ensure security policies are followed in order to prevent data exposure. Solutions such as Open Raven or Magpie can discover and alert about exposed data, along with other security policy violations.
Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-iam-and-security-iam-attached-policies | aws-security-best-practices
New Docker Cryptojacking Attempts Detected Over 2021 End-of-Year Holidays
January 27, 2022
Misconfigured Docker APIs have become a popular target with threat actors to mine cryptocurrency. Researchers at CrowdStrike have recently observed a crypto mining operation that targets exposed Docker APIs to deploy a Monero miner. A series of bash scripts are used to stop containers, run xmrig, and scan IP ranges. Many groups have been taking advantage of Docker’s misconfigurations, including Kissing, TeamTNT, and WatchDog.
Data Security Perspective: Docker users should ensure they correctly configure their containers. Additionally, users should only use images from trusted sources.
Did You Know?
....the default NAT gateway timeout in an AWS VPC is 5 minutes and 50 seconds? If you’re running Kubernetes (K8s) infrastructure in an AWS VPC through a NAT gateway check out our blog post to learn more.