April 19, 2022
GitHub announced findings of a campaign in which an attacker used stolen OAuth credentials to access and download data from private repos, npm, and other organizations. The OAuth tokens appear to have been stolen from third-party integrators Heroku and Travis-CI and used to access data from organizations that use Heroku and Travis-CI. In one instance, an AWS API key was stolen and used to download private npm repositories. GitHub announced that GitHub repos have not been affected by this campaign and have notified the affected companies.
Data Security Perspective: Affected customers have been and continue to be notified by GitHub. In addition, users should review what authorization they have given to which applications and revoke any unnecessary or unknown authorizations.
April 11, 2022
A researcher at Lightspin discovered a vulnerability in Amazon Relational Database Service (RDS). The vulnerability allows AWS credentials to be accessed by exploiting a local file read vulnerability using a Postgres extension. Using the RDS superuser role, a validation function can then be dropped allowing for a successful path traversal. This then leads to the exposure of temporary credentials for an AWS internal role, and subsequently the discovery of the internal service.
Data Security Perspective: AWS released a patch for the vulnerability and fixed all currently supported versions. AWS also confirmed that the vulnerability was not exploited by any other actors.
April 6, 2022
Researchers at Cado Security have identified what is being described as the first malware targeting AWS Lambda. The malware, named “Denonia”, is written in Go and appears to be designed to execute within Lambda, specifically to deploy a custom XMRig crypto miner. The method used to deploy the binary is currently unknown. However, the researchers speculate it may be due to compromised AWS secrets.
Data Security Perspective: While the impact of Denonia appears to be limited, the use of Lambda demonstrates threat actors expanding into various cloud environments. While the use of stolen AWS credentials is unconfirmed, unauthorized use of Lambda functions could prove costly for organizations. In the event of stolen AWS credentials, users should immediately delete or disable the credentials.
April 14, 2022
A data breach occurred in Cash App after a former employee accessed and downloaded customer data. The breach, which happened in December 2021, has affected over eight million users and involved a former employee who accessed customer data. How the employee accessed, the data has not yet been revealed. Presumably, they still had access to an account that was not deactivated.
Data Security Perspective: Former employees having access to company information after leaving is a massive security risk that is being seen in more data breaches. Companies need to ensure proper offboarding takes place to avoid unauthorized access. In addition, companies can use a product such as Magpie or Open Raven to identify who has access and to which data.
Related Magpie Rules: aws-iam-and-security-ensure-no-stale-roles-with-inline-policies-for-s3-access | aws-iam-and-security-iam-user-unused-credentials-check | aws-storage-s3-bucket-cloudtrail-logs | aws-storage-s3-bucket-logging-enabled
Kubesec is an open source security scanner for Kubernetes. The tool scans your resource YAML file to return a score based on how secure your containers are, and identifies any vulnerabilities.