Shiba Inu Cloud Credentials Leaked In A Major Security Breach
September 8, 2022
Researchers at Pingsafe found leaked AWS credentials belonging to cryptocurrency Shiba Inu. The leaked AWS keys were posted in a commit to Shiba’s public Github repo by one of Shiba’s developers and were valid for two days. Having leaked AWS credentials opens the user to a large range of issues, as if they are abused the AWS account can be fully accessed.
Data Security Perspective: Leaked developer secrets can open an organization to a host of issues, including abuse by threat actors. Users should ensure credentials are not committed to public repositories or hard coded into applications.
TikTok Denies Security Breach After Hackers Leak User Data, Source Code
September 5, 2022
Social media company TikTok denies that the company has suffered a large breach. Hacking group “AgainstTheWest” posted on a hacking forum claims of TikTok and WeChat being breached using screenshots of databases as evidence. The database includes over 2 billion records, including 790GB of user data, source code, authentication tokens, and server information. TikTok claims the data does not belong to TikTok however, some researchers have analyzed the data and believe it is legitimate.
Data Security Perspective: Organizations need to ensure they have secure practices in place, especially when dealing with user and customer information.
Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information
September 1, 2022
In a report by Symantec’s Threat Intelligence team, the group identified that over three-quarters of the applications they analyzed contained AWS keys. Out of 1,859 analyzed apps which included Android and iOS, 77% contained valid AWS access tokens to private AWS cloud services, with 98% of the apps containing AWS tokens being iOS applications. The exposure of keys is mainly coming from vulnerable libraries that provide full access to the cloud account, as opposed to for singular files.
Data Security Perspective: Exposed credentials are an ever-growing concern for applications, either from developers accidentally exposing credentials or, as this story highlights, the problem of third parties leaking credentials. Users need to ensure credentials are not hardcoded into applications, especially if the keys have full access permissions.
Manx Care Faces £170k Fine Over Patient Data Breach
August 18, 2022
Manx Care, the healthcare provider of the Isle of Man is facing a £170k fine if they don’t implement measures to protect patient data. The penalty is the result of a breach that occurred last year when Manx Care sent an email containing a patient’s confidential data to 1,870 recipients. The fine will go into place if security measures are not taken out by the end of the year.
Data Security Perspective: Organizations dealing with sensitive information, especially health data, need to make sure to have practices in place to prevent any kind of breach or exposure of that data. This story highlights how high the fines can be for health data exposure, even if it is the data of one person.
DoorDash Discloses New Data Breach Tied To Twilio Hackers
August 26, 2022
Food delivery service DoorDash has disclosed a data breach that exposed customer and employee data. The company announced that a threat actor used stolen credentials from a third-party to gain access to their systems. The third party appears to be Twilio, who recently suffered a large data breach. The data includes email addresses, delivery addresses, names, and phone numbers with some affected customers having order and partial credit card information exposed.
Data Security Perspective: This story highlights the issue of third-party data breaches, with one data breach leading to many other follow-on data breaches. Affected customers should be vigilant against phishing attacks that may try to use their personal information.
Other News…
Customers' Data Of This Cloud Platform Is Exposed
Security Breaks: TeamTNT’s DockerHub Credentials Leak
U-Haul Discloses Data Breach Exposing Customer Driver Licenses
LastPass Discloses Data Breach
49ers Data Breach May Have Exposed More Than 20,000 People to ID Theft, Documents Say
Samsung Confirms Data Breach, Personal Customer Data Stolen
Data Breach Takes Down IHG Hotel Group Booking System, Impacting Holiday Inn, Kimpton And More
DaVita Inc. Confirms Recent Data Breach Leaked SSNs and Health Information
Indonesia Investigating Alleged Data Breaches at State-owned Firms
Cloud Security Bulletins
AWS
Data security thoughts...
Cisco Hacked: Ransomware Gang Claims It Has 2.8GB Of Data
August 10, 2022
Cisco confirmed they were the victim of a ransomware gang after the stolen files were posted on the dark web. The threat actors behind the attack are Yanluowang group, who used stolen employee credentials and tricked them into accepting MFA requests. Once they gained access to the VPN they were able to move through the corporate network and install malware. The group allegedly stole 2.75 GB of data and tried to extort Cisco with the data. However, no actual ransomware was deployed.
Data Security Perspective: Organizations should ensure employees are trained in security practices to avoid credential theft or being the victim of social engineering. In addition, companies can review the permissions for employee accounts and limit access to certain material that threat actors may steal once they gain access.
120K Priority Health Members Impacted By Third-Party Data Breach
Michigan-based health insurance company Priority Health has announced they have suffered a third-party data breach. The breach may have exposed first and last names, pharmacy and claim information, drug names, and prescriptions dating back to 2012. The third-party breach occurred at a law firm, Warner Norcross and Judd, in October 2021, when the unauthorized activity occurred in their systems.
Data Security Perspective: This incident highlights the ongoing problem of third-party breaches. When organizations rely on third parties to handle their sensitive information, they must trust that the third party will take all precautions to protect the data.
Twitter Fixes Security Bug That Exposed At Least 5.4 Million Accounts
August 5, 2022
A security vulnerability has led to the exposure of 5.4 million Twitter accounts. The vulnerability, which Twitter claims is now fixed, allowed anyone to enter a phone number or email address of a known user to potentially identify associated Twitter accounts. While the bug was fixed in January, threat actors had already been able to exploit the vulnerability and create a database containing the phone number and email addresses of Twitter accounts, including high-profile users.
Data Security Perspective: Affected Twitter users should take precautions to protect their accounts and be aware of attempts at phishing. In addition, other steps such as MFA should be enabled.
Twitter API Leak Can Open Door To Building a Bot Army, CloudSEK Reports
August 1, 2022
Researchers at CloudSEK have identified over 3,000 mobile apps that are exposing developer secrets. The secrets leaked are Twitter API keys containing valid consumer keys and secrets. Whoever has these keys can perform actions as that account, including reading and writing messages, writing tweets, accessing account settings, and any other associated actions. The keys typically are leaked by developers who have left them embedded in the application.
Data Security Perspective: Human error and accidental credential leaks are common mistakes that can lead to organizations being breached. Users should ensure secure programming practices are used, and credentials should never be released in production.
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive
July 19, 2022
Researchers at Palo Alto have identified a campaign conducted by Russian threat group APT29, targeting a NATO country. The campaign, which occurred in May 2022, used suspicious PDF files sent via email that contained a link to an EnvyScout payload hosted on DropBox. During a second campaign, Palo Alto observed the same threat actors using Google Drive to store data stolen by the malware.
Data Security Perspective: As most organizations are moving to the cloud, so are threat groups. This tactic allows the group to avoid detection due to their trust in DropBox and Google Drive. Organizations should ensure employees are protected against emails containing malicious attachments.
Other News
7 Eleven Denmarks Confirms Ransomware Attack Behind Store Closures
Automotive Supplier Breached By 3 Ransomware Gangs In 2 Weeks
Phishing Attack Abuses Microsoft Azure, Google Sites To Steal Crypto
Cloudflare Employees Also Hit By Hackers Behind Twilio Breach
Kansas MSP Shuts Down Cloud Services To Fend Off Cyberattack
Cloud Security Bulletins
GCP
Data security thoughts...
Mangatoon Data Breach Exposes Data From 23 Million Accounts
July 9, 2022
Manga platform “Mangatoon” has suffered a data breach that exposed 23 million user accounts. The breach, which occurred in May, exposed PII of users including auth tokens, email addresses, gender, names, and hashed passwords. A known threat actor stole the data by gaining access to Mangatoon’s Elasticsearch server using weak credentials.
Data Security Perspective: This story highlights the necessity of strong credentials, as allegedly the password for the database was simply “password”. Organizations should ensure they have security policies in place to ensure strong credentials are used to avoid data breaches like this one.
From The Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts
July 18, 2022
Researchers from Sentinel One observed an expansion of the crimeware group 8220 to around 30,000 hosts. The group typically targets Linux and cloud environments through vulnerabilities or insecure configurations. Using a series of simple scripts, the victim is infected, and installs PwnRig crytomning. AWS, Azure, GCP, Alitun and GCloud are all common targets for group 8220.
Data Security Perspective: Cloud users should ensure all vulnerabilities are patched and make sure all cloud environments are properly secured. A CSPM such as Magpie can help notify users of misconfigurations in their AWS environment.
Exploiting Authentication in AWS IAM Authenticator for Kubernetes
July 11, 2022
Lightspin researcher, Gafnit Amiga, has identified another AWS vulnerability, this time in AWS IAM Authenticator for Kubernetes. The vulnerability “CVE-2022-2385” could enable a threat actor to escalate privileges in Elastic Kubernetes Service clusters by impersonating other identities. Within the IAM Authenticator for Kubernetes, a configuration to use the AccessKeyID is a line of code where the vulnerability exists. The code uses “ToLower” which a threat actor can use to send a different variable with the same name by sending as uppercase and lowercase.
Data Security Perspective: EKS users who do not use the AccessKeyID template are protected from the vulnerability. However, users who do use the AccessKeyId template should update AWS IAM Authenticator for Kubernetes to the latest version.
California Data Breach Exposes Thousands of Gun Owners
July 2, 2022
The Firearms Dashboard, California’s gun database, experienced a data breach, exposing PII of gun owners. The Department of Justice uploaded and left publically accessible a spreadsheet containing addresses, birth dates, criminal histories, driving licenses, genders, names and races of California gun owners. The spreadsheet was taken down within 24 hours. However, the DOJ announced that other parts of the Gun database might also have been exposed.
Data Security Perspective: This story highlights how human error can leak personal information. Organizations dealing with PII need to be careful with how the data is handled and stored. For organizations using cloud storage, a DSPM such as Open Raven can tell you where sensitive data is stored, minimizing the risk of unwanted data exposure.
Neopets Security Breach: Users’ Data Reportedly Stolen
July 22, 2022
Virtual pet website Neopets has announced that they may have been the victim of a data breach, potentially exposing the PII of up to 69 million users. Neopets’ database and some source code appears to have been stolen by a hacker who is trying to sell the information for four bitcoins, or approximately $90,500. The stolen information includes birth dates, country, email addresses, gender, postcodes, and game information.
Data Security Perspective: Neopets recommends that all users update their passwords. While it is unknown how the breach occurred, organizations should maintain good security practices such as enabling two-factor authentication.
Other News
Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware ⚡
More Than 4,000 Individuals’ Medical Data Left Exposed For 16 Years
Flipkart’s Cleartrip Confirms Data Breach After Hackers Put Data For Sale
UK Heat Wave Causes Google and Oracle Cloud Outages
Data security thoughts...
Millions of Secrets Exposed via Web Application Frontend – An Internet-Wide Study
June 14, 2022
A study by RedHatLabs has shown how many secrets web applications expose. Researchers using a scanner gathered nearly 400,000 secrets out of the top one million sites. The secrets exposed include AWS secret keys, Facebook tokens, GCP API keys, reCAPTCHA keys, and Stripe tokens, the majority of which were exposed via JavaScript files.
Data Security Perspective: This report highlights the ongoing issue of leaked developer secrets. Once these secrets are exposed, malicious actors can take them and use them for lateral movement. Users should rotate keys in addition to using a product such as Open Raven that can help discover exposed developer secrets.
12K Misconfigured Elasticsearch Buckets Ravaged by Extortionists
June 1, 2022
Researchers from SecureWorks Counter Threat Unit identified public-facing ElasticSearch databases that had been replaced with ransom notes. Over 1,200 databases were found with the ransom note due to having no authentication. The ransom note requests $620 to a BitCoin wallet. The researchers believe an automated script was most likely used to identify the databases.
Data Security Perspective: Users should ensure their cloud assets are secure by enabling authentication and other security measures such as two-factor authentication. Using a DSPM, such as Open Raven, can discover cloud assets and any misconfigurations.
Related Magpie Rules: aws-big-data-and-analytics-elasticsearch-node-to-node-encryption.yaml
Hotel Giant Marriott Confirms Yet Another Data Breach
July 6, 2022
Hotel chain Marriott confirmed that they have again been a data breach victim. The breach apparently occurred in June when threat actors used social engineering to trick an employee into giving them physical access to their computer, allowing them to steal over 20 gigabytes of data. The stolen data included sensitive information - guest credit card and employee details.
Data Security Perspective: Organizations need to make sure to have a strong security policy in order to protect their own data, as well as customers’ PII.
Korean Loyalty Platform Exposed Around a Million Customers’ Personal Data
July 6, 2022
Korean loyalty platform Dodo Point exposed over 38 gigabytes of customer PII through an unsecured Amazon S3 bucket. The bucket contained business data, client payment details, and customer personal data, including names, birth dates, phone numbers, and email addresses, covering a 10-year period. The exposed Amazon S3 bucket was not configured with encryption or password protection.
Data Security Perspective: Misconfigured cloud assets are a continual problem for cloud users. It is vital for organizations to properly secure their data. Amazon S3 buckets should have encryption and authentication measures in place. A DSPM product such as Open Raven can discover data and identify where misconfigurations are occurring.
Related Magpie Rules: aws-storage-s3-default-encryption-kms.yaml | aws-storage-s3-bucket-default-lock-enabled.yaml | aws-storage-s3-bucket-level-public-access-prohibited.yaml | aws-storage-s3-bucket-public-write-prohibited.yaml | aws-s3-best-practices.yaml
Report: Over 300k Residents in the Philippines Exposed in Covid-19 Relief Portal Leak
July 6, 2022
Researchers from VPNMentor identified a data breach involving Proud Makatizen, the official website of the city of Makati in the Philippines. The website, which originally started as a COVID-19 portal, had a misconfigured Amazon S3 bucket containing over 620,000 files totaling 39 gigabytes. The exposed data included financial information, names, nationally, medical information, and photo IDs.
Data Security Perspective: Once again, as with the above stories, this further highlights the issue of cloud misconfigurations and the associated risks of not having proper security controls in cloud assets.
Related Magpie Rules: aws-storage-s3-default-encryption-kms.yaml | aws-storage-s3-bucket-default-lock-enabled.yaml | aws-storage-s3-bucket-level-public-access-prohibited.yaml | aws-storage-s3-bucket-public-write-prohibited.yaml | aws-s3-best-practices.yaml
Other News
OpenSea discloses data breach, warns users of phishing attacks
Aon Hack Exposed Sensitive Information of 146,000 Customers
YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom”
Checkmate Ransomware via SMB Services Exposed to the Internet
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
Cloud Security Bulletins
GCP
Data security thoughts...
Public Travis CI Logs (Still) Expose Users to Cyber Attacks
June 13, 2022
Researchers at Aqua Security released research detailing how tens of thousands of user tokens were exposed via Travis CI API. By using an API call, millions of logs can be accessed in clear text. Within these logs are credentials, developer secrets, and tokens from cloud providers, including AWS, Docker Hub, and GitHub. The exposure of this information could lead to account takeover, database access, privileged access to code repos, or using the data for lateral movement within other services such as AWS S3.
Data Security Perspective: Users should regularly rotate credentials, keys, and tokens so that in the event these are stolen, they will not be of use. Additionally, users should not print these secrets to logs as the report explains how they can be exposed inadvertently in logs. Finally, organizations should deploy a data security platform to help identify where their secrets are stored.
Turkish Based Airline’s Sensitive EFB Data Leaked
May 30, 2022
Turkish Airline Pegasus Airline has had its Electronic Flight Bag (EFB) left exposed due to an AWS S3 bucket left without password protection. The bucket, which contained almost 23 million files, included crew PII, source code, and sensitive flight information. The exposed data included flight charts and revisions, pre-flight checks, insurance documents, photos and signatures of staff, plaintext passwords, AWS secret keys, among other files. Pegasus has since secured the bucket.
Data Security Perspective: More and more companies are facing large data exposures, frequently due to Amazon Web Services misconfigurations. In this instance, Pegasus left their AWS S3 bucket publicly accessible due to a lack of password protection and is facing fines as a result. S3 users should ensure their buckets are configured appropriately, especially with adding password protection. The Open Raven Data Security Platform and Magpie, our open-source CSPM, can alert users to misconfigurations and other security policy violations.
Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-iam-and-security-iam-attached-policies | aws-security-best-practices
SynLapse – Technical Details for Critical Azure Synapse Vulnerability
June 14, 2022
Researcher Tzah Pahima from Orca Security has discovered a vulnerability in Microsoft Azure. The vulnerability, named “SynLapse”, enables attackers to gain credentials, control other Synapse workspaces, execute code, and leak customer credentials outside of Azure. Exploiting a shell injection vulnerability leads to remote code execution in the Magnitude Simba Redshift ODBC that Microsoft’s software uses.
Data Security Perspective: Microsoft has since implemented the changes Orca recommended, including limited API usage and using a sandboxed VM, mitigating the vulnerability. Microsoft also recommends users of Synapse workspace or Azure Data Factory should do so with a managed virtual network to provide better isolation.
Shields Health Care Group Data Breach Affects 2 Million Patients
June 7, 2022
Shields Health Care Group, a Massachusetts-based medical company, has suffered a data breach. The breach, which occurred in March 2022, was caused by malicious actors gaining access to the company’s systems. As a result, the information of 2 million patients was accessed. This information included: billing information, birth dates, home addresses, medical diagnoses, insurance numbers, and Social Security numbers, among other medical PII.
Data Security Perspective: Affected patients should be aware of attempts to use their personal information for fraudulent purposes. Organizations should ensure their services follow security policies to avoid unauthenticated access to data, especially sensitive data.
Other News
Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat
Panchan’s Mining Rig: New Golang Peer-to-Peer Botnet Says “Hi!”
PyPI Package ‘keep’ Mistakenly Included A Password Stealer
Another 1.3M Patients Added To Data Breach Tally of Ransomware Attack on Eye Care Leaders
Data Breach At US Ambulance Billing Service Comstar Exposed Patients’ Healthcare Information
Cloud Security Bulletins
GCP
Data security thoughts...
PyPI Package' ctx' And PHP Library' phpass' Compromised To Steal Environment Variables
May 24, 2022
PyPI package 'ctx' has been compromised by malicious actors to steal environment variables. The package, which typically gets over 22,000 downloads a week, had its code altered to collect environment variables and send them to a C2 after base64 encoding them. In addition to the PyPI package, a fork of PHP library 'phpass' was also altered similarly to retrieve AWS developer secrets and send them to the same C2 address as the ctx package.
Data Security Perspective: For users of ctx, older versions of the package do not contain the malicious code. However, for newer versions 0.2.2, 0.2.6, and above, users should exercise caution and can check for malicious code. For users of phpass, the package appears to have been remedied to stop the attack.
US Charity Exposed Users' Sensitive Images
May 11, 2022
Researchers from SafetyDetectives have uncovered a misconfigured AWS S3 bucket belonging to a Pennsylvania breast cancer charity, Breastcancer.org. The bucket, which was left unsecured, contained over 150,000 files or 150GB of data. The data included user avatars, and images users have posted, including private images that include nudity for medical purposes. In addition, the EXIF data was still intact in the images which includes GPS location and device details. The exposed bucket was discovered in November 2021, and has been secured as of May 2022.
Data Security Perspective: Cloud misconfigurations pose a massive risk to organizations and can have severe consequences. Organizations should ensure security policies are followed in order to prevent data exposure. Solutions such as Open Raven or Magpie can discover and alert about exposed data, along with other security policy violations.
Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-iam-and-security-iam-attached-policies | aws-security-best-practices
Wiz Research Discovers "ExtraReplica"— A Cross-Account Database Vulnerability In Azure PostgreSQL
April 28, 2022
Researchers at Wiz have discovered a vulnerability in the Microsoft Azure Database for PostgreSQL Flexible Server. The vulnerability, named "#ExtraReplica" bypasses tenant isolation enabling unauthorized read access to other PostgreSQL databases. Malicious actors could gain unauthorized access to other databases by exploiting a bug in the Flexible Server auth process that allows elevated privileges and then use an improperly anchored regex to gain access to the other database.
Data Security Perspective: Microsoft responded to the vulnerability with patches for the Flexible Server released in February 2022 and said that no customers had been affected. As noted by Wiz, this vulnerability highlights the lack of a cloud vulnerability database, similar to the CVE database, which enables users to track and respond to vulnerabilities.
Heroku Admits To Customer Database Hack After OAuth Token Theft
May 5, 2022
After last month's security alert from Github that threat actors were stealing OAuth tokens from Heroku, and Travis-CI, Heroku announced the same stolen token was used to breach their customer database. The company announced the threat actor accessed and exfiltrated customer passwords from a customer database. Heroku initially reported that the stolen OAuth tokens could only provide threat actors to Github repositories but not to Heroku customer accounts.
LemonDuck Targets Docker For Cryptomining Operations
April 21, 2022
Cryptomining botnet LemonDuck, has been targeting Docker to mine cryptocurrency on Linux. Exposed Docker APIs are targeted with a custom entry point downloading a disguised Bash script. The bash file then sets up a cronjob which downloads the payload and enables it to kill processes, daemons, and known network connections as well as remove other cryptominers. The payload downloads and runs XMRig cryptominer.
Data Security Perspective: The misuse of exposed Docker APIs is increasing, especially for cryptomining. Users should ensure they have the correct security configurations when using Docker.
Medical Software Firm Fined €1.5M For Leaking Data Of 490k Patients
April 28, 2022
Medical software company Dedalus Biology has been fined 1.5 million Euros after exposing the PII of nearly 500,000 patients. The data, which came from a leaked database, included full names, genetic information, medical information such as medical conditions, and social security numbers. The leak appears to go back to March 2020, with parts of the dataset sold online in 2021. In total, Dedalus Biology was charged with three violations of GDPR, totaling 1.5 million Euros.
Data Security Perspective: Compliance is important for companies, especially those operating in Europe, as data exposure can lead to massive fines. Correct authentication and encryption are necessary for organizations, especially when handling sensitive data.
Report: FOX Exposed Nearly 13 Million Content Management Records Online
An exposed database belonging to FOX has been discovered by security researchers from Website Planet. The database contained 58 GB of information, with nearly 13,000,000 records, including internal emails, employee ID numbers, IP addresses, host information, and cast and crew names, among other details. While it is not apparent how long the database was exposed, it has since been secured.
Data Security Perspective: Having the correct configurations for databases and cloud resources is vital for organizations. This story highlights how even large corporations with security teams can be vulnerable to data exposure.
Other News
Microsoft Finds New Elevation of Privilege Linux Vulnerability, Nimbuspwn
Below The Surface: Group-IB Identified 308,000 Exposed Databases In 2021
NPM Flaw Let Attackers Add Anyone As Maintainer To Malicious Packages
New Black Basta Ransomware Springs Into Action With a Dozen Breaches
Jira Vulnerability CVE-2022-0540
Cisco Umbrella Virtual Appliance Static SSH Host Key Vulnerability
Critical Argo CD Vulnerability Could Allow Attackers Admin Privileges
Rogue Cloud Users Could Sabotage Fellow Off Prem Tenants Via Critical Flux Flaw
A Closer Look At Eternity Malware
Pharmacy Giant Hit By Data Breach Affecting 3.6 Million
Highlighted Security Tool
Anchore Engine is an open-source tool that analyzes container images with user-customizable policies. In addition, Anchore also evaluates vulnerabilities in the container images. Anchor Engine can be used within multiple orchestration platforms such as Docker, Kubernetes, Amazon ECS, among others.
Cloud Security Bulletins
GCP
Data security thoughts...
Security Alert: Attack Campaign Involving Stolen OAuth User Tokens Issued to Two Third-Party Integrators
April 19, 2022
GitHub announced findings of a campaign in which an attacker used stolen OAuth credentials to access and download data from private repos, npm, and other organizations. The OAuth tokens appear to have been stolen from third-party integrators Heroku and Travis-CI and used to access data from organizations that use Heroku and Travis-CI. In one instance, an AWS API key was stolen and used to download private npm repositories. GitHub announced that GitHub repos have not been affected by this campaign and have notified the affected companies.
Data Security Perspective: Affected customers have been and continue to be notified by GitHub. In addition, users should review what authorization they have given to which applications and revoke any unnecessary or unknown authorizations.
AWS RDS Vulnerability Leads to AWS Internal Service Credentials
April 11, 2022
A researcher at Lightspin discovered a vulnerability in Amazon Relational Database Service (RDS). The vulnerability allows AWS credentials to be accessed by exploiting a local file read vulnerability using a Postgres extension. Using the RDS superuser role, a validation function can then be dropped allowing for a successful path traversal. This then leads to the exposure of temporary credentials for an AWS internal role, and subsequently the discovery of the internal service.
Data Security Perspective: AWS released a patch for the vulnerability and fixed all currently supported versions. AWS also confirmed that the vulnerability was not exploited by any other actors.
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda
April 6, 2022
Researchers at Cado Security have identified what is being described as the first malware targeting AWS Lambda. The malware, named “Denonia”, is written in Go and appears to be designed to execute within Lambda, specifically to deploy a custom XMRig crypto miner. The method used to deploy the binary is currently unknown. However, the researchers speculate it may be due to compromised AWS secrets.
Data Security Perspective: While the impact of Denonia appears to be limited, the use of Lambda demonstrates threat actors expanding into various cloud environments. While the use of stolen AWS credentials is unconfirmed, unauthorized use of Lambda functions could prove costly for organizations. In the event of stolen AWS credentials, users should immediately delete or disable the credentials.
Over 8 Million Cash App Users Potentially Exposed In A Data Breach After A Former Employee Downloaded Customer Information
April 14, 2022
A data breach occurred in Cash App after a former employee accessed and downloaded customer data. The breach, which happened in December 2021, has affected over eight million users and involved a former employee who accessed customer data. How the employee accessed, the data has not yet been revealed. Presumably, they still had access to an account that was not deactivated.
Data Security Perspective: Former employees having access to company information after leaving is a massive security risk that is being seen in more data breaches. Companies need to ensure proper offboarding takes place to avoid unauthorized access. In addition, companies can use a product such as Magpie or Open Raven to identify who has access and to which data.
Related Magpie Rules: aws-iam-and-security-ensure-no-stale-roles-with-inline-policies-for-s3-access | aws-iam-and-security-iam-user-unused-credentials-check | aws-storage-s3-bucket-cloudtrail-logs | aws-storage-s3-bucket-logging-enabled
Other News
Git Security Vulnerabilities Prompt Updates
Cloud Native Technologies Used In Russia-Ukraine Cyber Attacks
LockBit Ransomware Gang Lurked In A U.S. Gov Network For Months
Large-scale npm Attack Targets Azure Developers With Malicious Packages
Highlighted Security Tool
Kubesec is an open source security scanner for Kubernetes. The tool scans your resource YAML file to return a score based on how secure your containers are, and identifies any vulnerabilities.
Cloud Security Bulletins
AWS
GCP
Data security thoughts...
New Spring Java Framework Zero-Day Allows Remote Code Execution
March 30, 2022
A zero-day vulnerability has been found in the Spring Core Java Framework. The vulnerability “Spring4Shell” or “CVE-2022-22965” allows for remote code execution due to a bypass for “CVE-2020-1622”, a vulnerability in Java Beans API. For a malicious actor to exploit Spring4Shell, a simple HTTP request to a vulnerable system with DataBinder enabled, and an appropriate payload based on configuration is required. Microsoft released research detailing how an attacker can change the AccessLogValue class to create a .jsp containing a web shell based on the specified parameters that can then be used to execute commands from the attacker.
Data Security Perspective: Users are encouraged to update Spring Framework versions 5.3.18 and 5.2.20. Other workarounds include upgrading Tomcat, downgrading to Java 8, or setting “disallowedFields” on WebDataBinder globally. While there are multiple conditions required to exploit this vulnerability, there are reports of it being exploited in the wild. Users should immediately seek to prevent exploitation.
Stop Neglecting Your Cloud Security Features: Check Point Research Found Thousands of Open Cloud Databases Exposing Data In The Wild
March 15, 2022
Researchers at Check Point have identified over 2,000 insecure Firebase databases. Many of the exposed application databases have millions of downloads and expose customer data, including bank information, location, health data, phone numbers, and private keys, among other sensitive data. The applications had previously been uploaded to VirusTotal, an anti-virus repository, with the insecure data available for anyone who comes across it.
Data Security Perspective: While cloud misconfigurations can be seen as a simple security issue, many organizations are continuing to have damages occur from databases that are improperly secured. Properly configuring data stores is incredibly important, especially when handling sensitive and customer data, as leaks can be expensive. The exposure of databases can be utilized by attackers for malicious purposes such as modifying the content for extortion.
Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices | gcp-storage-cloud-bucket-public-access
Cr8escape: New Vulnerability in CRI-O Container Engine Discovered By Crowdstrike (CVE-2022-0811)
March 15, 2022
A vulnerability in Kubernetes container engine, CRI-O, has been identified by security researchers at Crowdstrike. Named “cr8escape”, or “CVE-2022-0811” is a high severity flaw that, if exploited, could enable a malicious actor to gain root access and have control over a Kubernetes pod. With access to a pod, an attacker could host malware, exfiltrate data, or use for privilege escalation.
Data Security Perspective: Users of Kubernetes CRI-O should immediately update to the most recent version. In addition, OpenShift 4+ and Oracle Container Engine for Kubernetes use CRI-O may also be vulnerable.
‘Dirty Pipe’ Linux Vulnerability Discovered
March 7, 2022
A Linux vulnerability was discovered by security researcher Max Kellerman that enables data to be overwritten in arbitrary read-only files. The vulnerability, designated “CVE-2022-0847” affects Linux Kernel versions 5.8 and over, although it was patched in later versions. To enable an attacker to exploit the vulnerability, they will need read permissions and other conditions and carry out a series of movements of data within a pipe. All together not highly complicated. The read permissions are essential as they are necessary for the splice() function to write to the pipe from the target file. However, write permissions are not needed. An attacker can exploit this vulnerability to elevate privileges, which can be used as part of an attack such as escaping a container.
Data Security Perspective: Any vulnerability that enables threat actors to have elevated privileges is always high risk, as it can typically be used to gain access to other systems depending on their intent. If an attacker were to exploit this vulnerability, all of the target’s systems would be under their control, including their data. Linux users are urged to immediately update their kernel version.
Ex CafePress Owner Fined $500,000 For 'Shoddy' Security, Covering Up Data Breach
March 17, 2022
The former owner of CafePress, an e-commerce platform, has been fined $500,000 due to how they mishandled security, particularly in relation to customer data. The Federal Trade Commission (FTC) outlined how the company failed to secure sensitive customer data, was unable to prevent data breaches in addition to attempting to hide serious breaches. Improperly secured data included customer PII including cleartext password reset answers, partial card payment, phone numbers, and unencrypted Social Security numbers. This data was then posted for sale online, with CafePress still not patching the vulnerability that enabled the exfiltration until months later.
Data Security Perspective: While many of the issues in this story were due to malpractice on the part of CafePress, it is important that all organizations have visibility into sensitive data locations. As highlighted by this story, data breaches are expensive for companies.
Other News
Unsecured Microsoft SQL, MySQL Servers Hit By Gh0stCringe Malware
BIG sabotage: Famous npm Package Deletes Files to Protest Ukraine War
KrisShop Falls Prey to Data Breach, Nearly 5k Customer Accounts Impacted
Facebook Fined $18.6M Over String Of 2018 Breaches of EU’s GDPR
Useful Tools
Previous newsletters covered recent Linux vulnerabilities. We thought we would highlight a useful open source tool called Lynis. Lynis can be used to scan UNIX-based systems to identify vulnerabilities. Lynis also supports penetration testing, auditing, compliance, and system hardening projects..
Cloud Security Bulletins
AWS
GCP
- GCP-2022-011
- GCP-2022-010 (high severity)
- GCP-2022-009
Data security thoughts...
From The Editor
Welcome, and thanks for reading. In our second issue, we explore the data security impact of two newly discovered vulnerabilities and review recent data breaches in AWS and Azure. If you have feedback or suggestions, send a note to hello@openraven.com.
New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?
March 3, 2022
In February, Linux announced a high-severity privilege escalation vulnerability designated "CVE-2022-0492". Researchers at Unit42 identified how this vulnerability can be exploited to potentially escape containers. Control groups (cgroups) are a Linux kernel feature used to allocate and limit resources containing a release_agent file. The vulnerability exists in this file, and if notify_on_release is enabled, a full permissions binary runs. However, the file is not checked for admin privileges which is the vulnerability. The exploitation of this vulnerability depends on circumstances such as security modules and profiles in use. In the right situations, the vulnerability can be used to escalate privileges for malicious purposes.
Data Security Perspective: All Linux users should immediately upgrade to the latest available version(s). Should an attacker exploit this vulnerability, they can gain access to sensitive data, gather system information and establish persistence. In addition, users should follow best security practices, including enabling Linux security modules such as Seccomp, SELinux, and AppArmor. As the vulnerability exists in the Linux kernel, all distributions are at risk and should follow security advisories for their distro. Users of AWS, GCP, and Kubernetes should enable Seccomp to restrict container privileges.
AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service
March 7, 2022
Researchers at Orca Security identified a critical vulnerability in the Microsoft Azure Automation Service. The vulnerability, named "AutoWrap," enables access to Managed Identity tokens for other user accounts, which can then grant full access to resources and data. Orca Researcher Yaniv Tsarimi wrote a simple Python script to make HTTP requests to a range of ports, retrieving other users' identity endpoints, including those in several large companies.
Data Security Perspective: AutoWarp demonstrates how vulnerabilities can exist in systems often trusted to be secure. Malicious actors can exploit the flaw to gain complete control of resources and data and elevate privileges. Microsoft patched the vulnerability and has not identified any token misuse. In addition, Azure Automation users are encouraged to follow best practices.
Luxury Children's Fashion E-Commerce Site Exposes Customers Worldwide
February 21, 2022
The security team at SafetyDetectives discovered a breach affecting French fashion retailer Melijoe. Melijoe had a misconfigured S3 bucket that exposed roughly 200 GB of data. The data contained customer PII including addresses, birth dates, email addresses, gender, children's names, payment information, and past purchases. Melijoe uploaded data to the unsecured bucket from October 2016 until November 2021, when SafetyDetectives notified the company of the exposure.
Data Security Perspective: Misconfigured S3 buckets are a common cause of data exposures. In this instance, Melijoe left their AWS S3 bucket publicly accessible due to a lack of password protection. S3 users should ensure buckets are configured with appropriate password protection. The Open Raven Data Security Platform and Magpie, our open-source CSPM, can alert users to misconfigurations and other security policy violations.
Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices
Internet Society Data Leak Exposed 80,000 Members' Login Details
February 18, 2022
The Internet Society (ISOC), a non-profit organization, announced a data leak due to a third-party vendor. Security researchers at Clario identified the exposed data after discovering a misconfigured Azure blob repository. The repository was publicly accessible and contained PII of members, including addresses, email addresses, login credentials, and names. The Internet Society stated that there is no evidence of any malicious actors accessing the information.
Other News
Duncan Regional Hospital data breach impacts 92K
Cookware giant Meyer discloses cyberattack that impacted employees
Did You Know
….that well thought out, and well-maintained dataclasses are vital to any data classification software? Or that human data is one of the most difficult to match? In our latest article, Introduction to Regex Based Data Classification for the Cloud, you can learn everything you need to know about writing and developing dataclasses.
Data security thoughts...
From the editor:
Welcome to our first issue. Thanks for reading. This week, we explore several recent data leaks and breaches, provide links to new Magpie rules that help close data security gaps, and provide a helpful tip about using NAT gateways in AWS VPCs. We'll add new sections and topics over time. If you have feedback or suggestions, send a note to hello@openraven.com.
Malicious Kubernetes Helm Charts Can Be Used To Steal Sensitive Information From Argo CD Developments
February 3, 2022
Security Researchers at Apiiro have identified a zero-day vulnerability in Argo CD. Argo CD (Continuous Delivery) is a popular continuous delivery platform. The vulnerability, designated “CVE-2022-24348”, can allow a malicious actor to access API keys, passwords, secrets, tokens, among other sensitive information, which can be utilized in further attacks for privilege escalation and lateral movement.
Data Security Perspective: Users of Argo CD are urged to immediately apply the patch for this vulnerability that has been released for multiple versions.
British Council Data Breach Leaks 10,000 Student Records
February 3, 2022
Security Researchers from Clario have identified a data breach that has exposed over 10,000 student records held by the British Council. The data, which included study durations, enrollment dates, email addresses, full names, and student IDs was held on an open Microsoft Azure blob repository. The blob container contained more than 144,000 files, according to researchers.
Data Security Perspective: Affected users should be aware of attempts to use the stolen personal information for fraudulent purposes. Organizations should ensure their services follow security policies to avoid unauthenticated access to data, especially sensitive data.
Telco Fined €9 Million For Hiding Cyberattack Impact From Customers
February 1, 2022
Hellenic Telecommunications Organization (OTE) have been fined €9 million related to sensitive customer information leaking from a breach. OTE Group is the largest technology company in Greece providing telecom services. The company was breached in 2020 and a threat actor stole 48GB of data that included age, gender, positional data, and plan information.
Data Security Perspective: Data breaches are increasingly common and highly costly issues facing organizations. Open Raven identifies where sensitive data is stored and isn’t adequately protected. Products such as Open Raven, or Magpie, can discover and alert to exposed data, along with other security policy violations and prevent expensive data leaks.
Unsecured AWS Server Exposed 3TB In Airport Employee Records
January 31, 2022
An unsecured AWS S3 bucket exposed over one million files containing sensitive data. The data contained information related to employees of airports across Colombia and Peru and was stored in a bucket owned by security company Securitas. The exposed information included occupations, ID photos, names, PII, and airport information regarding planes, GPS, luggage handling, and fueling lines.
Data Security Perspective: Cloud misconfigurations pose a massive risk to organizations and can have severe consequences. Organizations should ensure security policies are followed in order to prevent data exposure. Solutions such as Open Raven or Magpie can discover and alert about exposed data, along with other security policy violations.
Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-iam-and-security-iam-attached-policies | aws-security-best-practices
New Docker Cryptojacking Attempts Detected Over 2021 End-of-Year Holidays
January 27, 2022
Misconfigured Docker APIs have become a popular target with threat actors to mine cryptocurrency. Researchers at CrowdStrike have recently observed a crypto mining operation that targets exposed Docker APIs to deploy a Monero miner. A series of bash scripts are used to stop containers, run xmrig, and scan IP ranges. Many groups have been taking advantage of Docker’s misconfigurations, including Kissing, TeamTNT, and WatchDog.
Data Security Perspective: Docker users should ensure they correctly configure their containers. Additionally, users should only use images from trusted sources.
Did You Know?
....the default NAT gateway timeout in an AWS VPC is 5 minutes and 50 seconds? If you’re running Kubernetes (K8s) infrastructure in an AWS VPC through a NAT gateway check out our blog post to learn more.
