Security Alert: Attack Campaign Involving Stolen OAuth User Tokens Issued to Two Third-Party Integrators

April 19, 2022

GitHub announced findings of a campaign in which an attacker used stolen OAuth credentials to access and download data from private repos, npm, and other organizations. The OAuth tokens appear to have been stolen from third-party integrators Heroku and Travis-CI and used to access data from organizations that use Heroku and Travis-CI. In one instance, an AWS API key was stolen and used to download private npm repositories. GitHub announced that GitHub repos have not been affected by this campaign and have notified the affected companies.

Data Security Perspective: Affected customers have been and continue to be notified by GitHub. In addition, users should review what authorization they have given to which applications and revoke any unnecessary or unknown authorizations.

AWS RDS Vulnerability Leads to AWS Internal Service Credentials

April 11, 2022

A researcher at Lightspin discovered a vulnerability in Amazon Relational Database Service (RDS). The vulnerability allows AWS credentials to be accessed by exploiting a local file read vulnerability using a Postgres extension. Using the RDS superuser role, a validation function can then be dropped allowing for a successful path traversal. This then leads to the exposure of temporary credentials for an AWS internal role, and subsequently the discovery of the internal service.

‍Data Security Perspective: AWS released a patch for the vulnerability and fixed all currently supported versions. AWS also confirmed that the vulnerability was not exploited by any other actors.

Cado Discovers Denonia: The First Malware Specifically Targeting Lambda

April 6, 2022

Researchers at Cado Security have identified what is being described as the first malware targeting AWS Lambda. The malware, named “Denonia”, is written in Go and appears to be designed to execute within Lambda, specifically to deploy a custom XMRig crypto miner. The method used to deploy the binary is currently unknown. However, the researchers speculate it may be due to compromised AWS secrets.

Data Security Perspective: While the impact of Denonia appears to be limited, the use of Lambda demonstrates threat actors expanding into various cloud environments. While the use of stolen AWS credentials is unconfirmed, unauthorized use of Lambda functions could prove costly for organizations. In the event of stolen AWS credentials, users should immediately delete or disable the credentials.

Over 8 Million Cash App Users Potentially Exposed In A Data Breach After A Former Employee Downloaded Customer Information

April 14, 2022

A data breach occurred in Cash App after a former employee accessed and downloaded customer data. The breach, which happened in December 2021, has affected over eight million users and involved a former employee who accessed customer data. How the employee accessed, the data has not yet been revealed. Presumably, they still had access to an account that was not deactivated. 

Data Security Perspective: Former employees having access to company information after leaving is a massive security risk that is being seen in more data breaches. Companies need to ensure proper offboarding takes place to avoid unauthorized access. In addition, companies can use a product such as Magpie or Open Raven to identify who has access and to which data.

Related Magpie Rules: aws-iam-and-security-ensure-no-stale-roles-with-inline-policies-for-s3-access | aws-iam-and-security-iam-user-unused-credentials-check | aws-storage-s3-bucket-cloudtrail-logs | aws-storage-s3-bucket-logging-enabled

Other News

Git Security Vulnerabilities Prompt Updates

Cloud Native Technologies Used In Russia-Ukraine Cyber Attacks

LockBit Ransomware Gang Lurked In A U.S. Gov Network For Months

Large-scale npm Attack Targets Azure Developers With Malicious Packages

‍

Highlighted Security Tool

Kubesec is an open source security scanner for Kubernetes. The tool scans your resource YAML file to return a score based on how secure your containers are, and identifies any vulnerabilities.

Cloud Security Bulletins

AWS

• AWS-2022-005
• AWS-2022-004

GCP

• GCP-2022-012
• GCP-2022-013

‍

New Spring Java Framework Zero-Day Allows Remote Code Execution

March 30, 2022

‍A zero-day vulnerability has been found in the Spring Core Java Framework. The vulnerability “Spring4Shell” or “CVE-2022-22965” allows for remote code execution due to a bypass for “CVE-2020-1622”, a vulnerability in Java Beans API. For a malicious actor to exploit Spring4Shell, a simple HTTP request to a vulnerable system with DataBinder enabled, and an appropriate payload based on configuration is required. Microsoft released research detailing how an attacker can change the AccessLogValue class to create a .jsp containing a web shell based on the specified parameters that can then be used to execute commands from the attacker. 

‍Data Security Perspective: Users are encouraged to update Spring Framework versions 5.3.18 and 5.2.20. Other workarounds include upgrading Tomcat, downgrading to Java 8, or setting “disallowedFields” on WebDataBinder globally. While there are multiple conditions required to exploit this vulnerability, there are reports of it being exploited in the wild. Users should immediately seek to prevent exploitation. 

Stop Neglecting Your Cloud Security Features: Check Point Research Found Thousands of Open Cloud Databases Exposing Data In The Wild

March 15, 2022

Researchers at Check Point have identified over 2,000 insecure Firebase databases. Many of the exposed application databases have millions of downloads and expose customer data, including bank information, location, health data, phone numbers, and private keys, among other sensitive data. The applications had previously been uploaded to VirusTotal, an anti-virus repository, with the insecure data available for anyone who comes across it. 

Data Security Perspective: While cloud misconfigurations can be seen as a simple security issue, many organizations are continuing to have damages occur from databases that are improperly secured. Properly configuring data stores is incredibly important, especially when handling sensitive and customer data, as leaks can be expensive. The exposure of databases can be utilized by attackers for malicious purposes such as modifying the content for extortion.

Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices | gcp-storage-cloud-bucket-public-access

Cr8escape: New Vulnerability in CRI-O Container Engine Discovered By Crowdstrike (CVE-2022-0811)

March 15, 2022

A vulnerability in Kubernetes container engine, CRI-O, has been identified by security researchers at Crowdstrike. Named “cr8escape”, or “CVE-2022-0811” is a high severity flaw that, if exploited, could enable a malicious actor to gain root access and have control over a Kubernetes pod. With access to a pod, an attacker could host malware, exfiltrate data, or use for privilege escalation. 

Data Security Perspective: Users of Kubernetes CRI-O should immediately update to the most recent version. In addition, OpenShift 4+ and Oracle Container Engine for Kubernetes use CRI-O may also be vulnerable. 

‘Dirty Pipe’ Linux Vulnerability Discovered

March 7, 2022

A Linux vulnerability was discovered by security researcher Max Kellerman that enables data to be overwritten in arbitrary read-only files. The vulnerability, designated “CVE-2022-0847” affects Linux Kernel versions 5.8 and over, although it was patched in later versions. To enable an attacker to exploit the vulnerability, they will need read permissions and other conditions and carry out a series of movements of data within a pipe. All together not highly complicated. The read permissions are essential as they are necessary for the splice() function to write to the pipe from the target file. However, write permissions are not needed. An attacker can exploit this vulnerability to elevate privileges, which can be used as part of an attack such as escaping a container.  

Data Security Perspective: Any vulnerability that enables threat actors to have elevated privileges is always high risk, as it can typically be used to gain access to other systems depending on their intent. If an attacker were to exploit this vulnerability, all of the target’s systems would be under their control, including their data. Linux users are urged to immediately update their kernel version. 

Ex CafePress Owner Fined $500,000 For 'Shoddy' Security, Covering Up Data Breach

March 17, 2022

The former owner of CafePress, an e-commerce platform, has been fined $500,000 due to how they mishandled security, particularly in relation to customer data. The Federal Trade Commission (FTC) outlined how the company failed to secure sensitive customer data, was unable to prevent data breaches in addition to attempting to hide serious breaches. Improperly secured data included customer PII including cleartext password reset answers, partial card payment, phone numbers, and unencrypted Social Security numbers. This data was then posted for sale online, with CafePress still not patching the vulnerability that enabled the exfiltration until months later.

Data Security Perspective: While many of the issues in this story were due to malpractice on the part of CafePress, it is important that all organizations have visibility into sensitive data locations. As highlighted by this story, data breaches are expensive for companies. 

Other News

Unsecured Microsoft SQL, MySQL Servers Hit By Gh0stCringe Malware

BIG sabotage: Famous npm Package Deletes Files to Protest Ukraine War

KrisShop Falls Prey to Data Breach, Nearly 5k Customer Accounts Impacted 

Facebook Fined $18.6M Over String Of 2018 Breaches of EU’s GDPR

Useful Tools

Previous newsletters covered recent Linux vulnerabilities. We thought we would highlight a useful open source tool called Lynis. Lynis can be used to scan UNIX-based systems to identify vulnerabilities. Lynis also supports penetration testing, auditing, compliance, and system hardening projects..

Cloud Security Bulletins

AWS

• CVE-2022-0778

GCP

• GCP-2022-011
• GCP-2022-010 (high severity)
• GCP-2022-009

From The Editor‍

Welcome, and thanks for reading. In our second issue, we explore the data security impact of two newly discovered vulnerabilities and review recent data breaches in AWS and Azure. If you have feedback or suggestions, send a note to hello@openraven.com.‍

New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?‍

March 3, 2022

In February, Linux announced a high-severity privilege escalation vulnerability designated "CVE-2022-0492". Researchers at Unit42 identified how this vulnerability can be exploited to potentially escape containers. Control groups (cgroups) are a Linux kernel feature used to allocate and limit resources containing a release_agent file. The vulnerability exists in this file, and if notify_on_release is enabled, a full permissions binary runs. However, the file is not checked for admin privileges which is the vulnerability. The exploitation of this vulnerability depends on circumstances such as security modules and profiles in use. In the right situations, the vulnerability can be used to escalate privileges for malicious purposes.‍

Data Security Perspective:  All Linux users should immediately upgrade to the latest available version(s). Should an attacker exploit this vulnerability, they can gain access to sensitive data, gather system information and establish persistence. In addition, users should follow best security practices, including enabling Linux security modules such as Seccomp, SELinux, and AppArmor. As the vulnerability exists in the Linux kernel, all distributions are at risk and should follow security advisories for their distro. Users of AWS, GCP, and Kubernetes should enable Seccomp to restrict container privileges. ‍

AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service‍

March 7, 2022‍

Researchers at Orca Security identified a critical vulnerability in the Microsoft Azure Automation Service. The vulnerability, named "AutoWrap," enables access to Managed Identity tokens for other user accounts, which can then grant full access to resources and data. Orca Researcher Yaniv Tsarimi wrote a simple Python script to make HTTP requests to a range of ports, retrieving other users' identity endpoints, including those in several large companies.   

‍Data Security Perspective: AutoWarp demonstrates how vulnerabilities can exist in systems often trusted to be secure. Malicious actors can exploit the flaw to gain complete control of resources and data and elevate privileges. Microsoft patched the vulnerability and has not identified any token misuse. In addition, Azure Automation users are encouraged to follow best practices.‍

Luxury Children's Fashion E-Commerce Site Exposes Customers Worldwide‍

February 21, 2022‍

The security team at SafetyDetectives discovered a breach affecting French fashion retailer Melijoe. Melijoe had a misconfigured S3 bucket that exposed roughly 200 GB of data. The data contained customer PII including addresses, birth dates, email addresses, gender, children's names, payment information, and past purchases. Melijoe uploaded data to the unsecured bucket from October 2016 until November 2021, when SafetyDetectives notified the company of the exposure. ‍

Data Security Perspective: Misconfigured S3 buckets are a common cause of data exposures. In this instance, Melijoe left their AWS S3 bucket publicly accessible due to a lack of password protection. S3 users should ensure buckets are configured with appropriate password protection. The Open Raven Data Security Platform and Magpie, our open-source CSPM, can alert users to misconfigurations and other security policy violations.‍

Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-security-best-practices‍

Internet Society Data Leak Exposed 80,000 Members' Login Details‍

February 18, 2022

The Internet Society (ISOC), a non-profit organization, announced a data leak due to a third-party vendor. Security researchers at Clario identified the exposed data after discovering a misconfigured Azure blob repository. The repository was publicly accessible and contained PII of members, including addresses, email addresses, login credentials, and names. The Internet Society stated that there is no evidence of any malicious actors accessing the information.  ‍

Other News‍

Duncan Regional Hospital data breach impacts 92K‍

Cookware giant Meyer discloses cyberattack that impacted employees‍

Did You Know

‍….that well thought out, and well-maintained dataclasses are vital to any data classification software? Or that human data is one of the most difficult to match? In our latest article, Introduction to Regex Based Data Classification for the Cloud, you can learn everything you need to know about writing and developing dataclasses.

From the editor:‍

Welcome to our first issue. Thanks for reading. This week, we explore several recent data leaks and breaches, provide links to new Magpie rules that help close data security gaps, and provide a helpful tip about using NAT gateways in AWS VPCs. We'll add new sections and topics over time. If you have feedback or suggestions, send a note to hello@openraven.com.‍

Malicious Kubernetes Helm Charts Can Be Used To Steal Sensitive Information From Argo CD Developments‍

February 3, 2022‍‍

‍Security Researchers at Apiiro have identified a zero-day vulnerability in Argo CD. Argo CD (Continuous Delivery) is a popular continuous delivery platform. The vulnerability, designated “CVE-2022-24348”, can allow a malicious actor to access API keys, passwords, secrets, tokens, among other sensitive information, which can be utilized in further attacks for privilege escalation and lateral movement. ‍

Data Security Perspective: Users of Argo CD are urged to immediately apply the patch for this vulnerability that has been released for multiple versions.‍

British Council Data Breach Leaks 10,000 Student Records‍

February 3, 2022‍

Security Researchers from Clario have identified a data breach that has exposed over 10,000 student records held by the British Council. The data, which included study durations, enrollment dates, email addresses, full names, and student IDs was held on an open Microsoft Azure blob repository. The blob container contained more than 144,000 files, according to researchers.‍

Data Security Perspective: Affected users should be aware of attempts to use the stolen personal information for fraudulent purposes. Organizations should ensure their services follow security policies to avoid unauthenticated access to data, especially sensitive data.‍

Telco Fined €9 Million For Hiding Cyberattack Impact From Customers‍

February 1, 2022‍

Hellenic Telecommunications Organization (OTE) have been fined €9 million related to sensitive customer information leaking from a breach. OTE Group is the largest technology company in Greece providing telecom services. The company was breached in 2020 and a threat actor stole 48GB of data that included age, gender, positional data, and plan information. ‍

Data Security Perspective: Data breaches are increasingly common and highly costly issues facing organizations. Open Raven identifies where sensitive data is stored and isn’t adequately protected. Products such as Open Raven, or Magpie, can discover and alert to exposed data, along with other security policy violations and prevent expensive data leaks.‍

Unsecured AWS Server Exposed 3TB In Airport Employee Records‍

January 31, 2022‍

An unsecured AWS S3 bucket exposed over one million files containing sensitive data. The data contained information related to employees of airports across Colombia and Peru and was stored in a bucket owned by security company Securitas. The exposed information included occupations, ID photos, names, PII, and airport information regarding planes, GPS, luggage handling, and fueling lines.‍

Data Security Perspective:  Cloud misconfigurations pose a massive risk to organizations and can have severe consequences. Organizations should ensure security policies are followed in order to prevent data exposure. Solutions such as Open Raven or Magpie can discover and alert about exposed data, along with other security policy violations.‍

Related Magpie Rules: aws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-iam-and-security-iam-attached-policies | aws-security-best-practices‍

New Docker Cryptojacking Attempts Detected Over 2021 End-of-Year Holidays‍

January 27, 2022

Misconfigured Docker APIs have become a popular target with threat actors to mine cryptocurrency. Researchers at CrowdStrike have recently observed a crypto mining operation that targets exposed Docker APIs to deploy a Monero miner. A series of bash scripts are used to stop containers, run xmrig, and scan IP ranges. Many groups have been taking advantage of Docker’s misconfigurations, including Kissing, TeamTNT, and WatchDog.‍

Data Security Perspective: Docker users should ensure they correctly configure their containers. Additionally, users should only use images from trusted sources.‍

Did You Know?‍

....the default NAT gateway timeout in an AWS VPC is 5 minutes and 50 seconds? If you’re running Kubernetes (K8s) infrastructure in an AWS VPC through a NAT gateway check out our blog post to learn more.