Search This Blog

Showing posts with label API. Show all posts

Hackers Breached Accounts of Twilio Users

According to data provided by Twilio, hackers were able to obtain information from "a limited number" of customer accounts through a breach including data theft of employee credentials.

On August 4th, a hacker sent SMS messages to Twilio employees asking them to change their passwords or informing them of a change in their schedule. Each message contained a URL that contained phrases like "Twilio," "SSO" (single sign-on), and "Okta," the brand of user authentication service that is employed by numerous businesses. Employees who clicked on the link were taken to a fake Twilio sign-in page, where hackers were able to capture the data they entered.

When the breach was discovered, Twilio worked with US phone providers to shut down the SMS system and also requested that web hosting companies remove the fake sign-in sites. Twilio reports that hackers were still able to switch to different hosting companies and cell carriers in order to continue their assault.

Facebook and Uber are two of the more than 150,000 businesses that use Twilio.

Laurelle Remzi, an official for Twilio, declined to reveal how many customers were impacted or what data the hackers got. According to Twilio's privacy statement, the data it gathers includes addresses, payment information, IP addresses, and, in certain situations, identification documentation. 

The hackers are skilled enough to switch between telco carriers and hosting providers using social engineering lures, according to Twilio, a dominant player in the enterprise communication API market with 26 offices across 17 countries. Twilio classified the situation as ongoing.

The company didn't specify whether the social engineering attacks were successful or whether any MFA (multi-factor authentication) hurdles were encountered by the attacker.

According to Twilio, its security team has terminated access to the hacked employee accounts in order to reduce the effect of the attack and has contacted a third-party forensics company to assist in the investigation.

Here's How BlackMatter Ransomware is Linked With LockBit 3.0


LockBit 3.0, the most recent version of LockBit ransomware, and BlackMatter contain similarities discovered by cybersecurity researchers. 

In addition to introducing a brand-new leak site, the first ransomware bug bounty program, LockBit 3.0, was released in June 2022. Zcash was also made available as a cryptocurrency payment method.

"The encrypted filenames are appended with the extensions 'HLJkNskOq' or '19MqZqZ0s' by the ransomware, and its icon is replaced with a.ico file icon. The ransom note then appears, referencing 'Ilon Musk'and the General Data Protection Regulation of the European Union (GDPR)," researchers from Trend Micro stated.

The ransomware alters the machine's wallpaper when the infection process is finished to alert the user of the attack. Several LockBit 3.0's code snippets were found to be lifted from the BlackMatter ransomware by Trend Micro researchers when they were debugging the Lockbit 3.0 sample.

Identical ransomware threats

The researchers draw attention to the similarities between BlackMatter's privilege escalation and API harvesting techniques. By hashing a DLL's API names and comparing them to a list of the APIs the ransomware requires, LockBit 3.0 executes API harvesting. As the publically accessible script for renaming BlackMatter's APIs also functions for LockBit 3.0, this procedure is the same as that of BlackMatter.

The most recent version of LockBit also examines the UI language of the victim machine to prevent infection of machines that speak these languages in the Commonwealth of Independent States (CIS) member states.

Windows Management Instrumentation (WMI) via COM objects is used by Lockbit 3.0 and BlackMatter to delete shadow copies. Experts draw attention to the fact that LockBit 2.0 deletes using vssadmin.exe.

The findings coincide with LockBit attacks becoming the most active ransomware-as-a-service (RaaS) gangs in 2022, with the Italian Internal Revenue Service (L'Agenzia delle Entrate) being the most recent target.

The ransomware family contributed to 14% of intrusions, second only to Conti at 22%, according to Palo Alto Networks' 2022 Unit 42 Incident Response Report, which was released and is based on 600 instances handled between May 2021 and April 2022.

Prototype Bug in Blitz.js. Allows RCE on Node.js Servers


Blitz.js, a JavaScript web online framework, has issued a patch for a critical prototype pollution bug to prevent remote code execution (RCE) on Node.js servers. 

Prototype pollution is a specific kind of JavaScript vulnerability that allows hackers to manipulate the structure of the programming language and exploit it in multiple ways, Paul Gerste, security researcher at Sonar explained. It also allowed hackers to exploit the code in the Blitz.js app to design a reverse shell and run arbitrary commands on the server. 

Blitz is designed on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform. One of the popular components of Blitz.js is its ‘Zero-API’ layer, which allows the customer to employ specific functions to call server-side business logic without having to design API code. 

Additionally, it makes an RPC call to the server in the background and returns the response to the client function call. Gerste identified a chain of exploits that could be exploited via the prototype pollution bug and lead to RCE. 

The attackers target Node.js by sending a JSON request, a browser service that enables two-way data exchange with any JSON data server without exposing users’ data, to the server, which triggers the routing function of Blitz.js to load a JavaScript file with the polluted prototype. This allows the hacker to employ the malicious JavaScript object to implement arbitrary code. 

In an ideal scenario, the hacker would design and run a file on the server. But Blitz.js does not support upload functionality. However, it has a CLI wrapper script that uses JavaScript’s spawn() function to launch a new process. 

The attacker could use this function to launch a CLI process and run an arbitrary command on the server. The vulnerability can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.  

“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste explained. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.” 

In his blog post, the researcher mentioned some general recommendations to safeguard JavaScript apps against prototype pollution, including freezing 'object.prototype or using the --disable-proto=delete flag in Node.js

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste added. “I don’t see developers often use the patterns that we recommended in our article. With our blog posts, we try to help educate JavaScript developers and share this knowledge.”

A SQL Injection bug Hits the Django web Framework


A serious vulnerability has been addressed in the most recent versions of the open-source Django web framework. 

Updates decrease the risk of SQL Injection

Developers are advised to update or patch their Django instances as soon after the Django team issues versions Django 4.0.6 and Django 3.2.14 that fix a high-severity SQL injection vulnerability. 

Malicious actors may exploit the vulnerability, CVE-2022-34265, by passing particular inputs to the Trunc and Extract methods.

The issue, which can be leveraged if untrusted data was used as a kind/lookup name value, is said to be present in the Trunc() and Extract() database functions, according to the researchers. It is feasible to lessen the danger of being exploited by implementing input sanitization for these functions.


Django's main branch and the 4.1, 4.0, and 3.2 release branches have all received patches to fix the problem. 

"This security update eliminates the problem, but we've found enhancements to the Database API methods for date extract and truncate that should be added to Django 4.1 before its official release. Django 4.1 releases candidate 1 or newer third-party database backends will be affected by this until they can be updated to the new API. We apologize for the trouble," Django team stated.

Susceptible APIs Costing Organizations Billions Every year


Last week, threat intelligence firm Imperva published a report titled ‘Quantifying the Cost of API Insecurity’, which examined nearly 117,000 security incidents and unearthed that API insecurity was responsible for annual losses of between $41- 75 billion globally. 

The study conducted by the Marsh McLennan Cyber Risk Analytics Center discovered that larger enterprises had a higher threat of having API-related breaches, with organizations making more than $100 billion in revenue being three to four times more likely to face API insecurity than small or midsize enterprises. 

The security analysts identified that Asia has a high incident rate with between 16% and 20% of cyber-security incidents related to API insecurity. This is likely due to the rapid digital transformation happening across Asia, especially in regard to mobile, as the majority of digital transactions in Asia are done through mobile. 

 How are businesses getting API security so wrong? 

An API is the invisible connective tissue that allows applications to transfer data to enhance end-user experiences and results. "The growing security risks associated with APIs correlate with the proliferation of APIs," says Lebin Cheng, vice president of API security for Imperva. 

"The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs." 

Businesses are frequently failing to secure APIs, with 95% of enterprises suffering an API security incident in the last 12 months, and 34% acknowledging they lack any kind of API security methodology— despite running APIs in production. 

“Many organizations are failing to protect their APIs because it requires equal participation from the security and development teams,” Cheng explained. “Historically, these groups have been at odds —security is the party of no, and devops is irresponsible and moves too fast. In order to address these challenges, security leaders have to enable application developers to create secure code using technology that is lightweight and works efficiently." 

 Tips for enhancing API security: 

Imperva recommended organizations adopt API governance by monitoring endpoints beyond their organizations. They should also monitor the data flowing through them to ensure that sensitive information is protected. 

Any methodology that security teams implement should include API discovery and data classification. This way, security experts can identify the schema of APIs, while spotting and classifying the data that passes through it, while employing testing to unearth any potential vulnerabilities.

API Security Losses Total Billions, US Companies Hit Hard

According to the analysis of breach data, US companies are the ones affected the most by the APIs. Companies have lost a combined amount of $12 billion to $23 billion in 2022 from compromises linked to Web application programming interfaces (APIs). 

APIs are used in Internet of Things (IoT) applications and on websites. An API is a mechanism that facilitates two software systems to interact. It controls the types of requests that take place between programs, how these requests are made, and the kinds of data formats used. For example, the Google Maps application on a mobile device does not contain names of all the streets, cities, towns, and other landmarks on your device. Instead, it connects to another application within the Google server that contains all of that information and this connection is made possible using an API. 

The data over the last decade suggests that API security has leveled up as a significant cybersecurity problem. Following the information, the Open Web Security Application Project (OWASP) has listed the top 10 APl security issues in 2019. 

It has explained various API weaknesses including broken authorization for objects, weak user authentication, and excessive data exposure as sensitive issues for software makers and companies that rely on cloud services. Thus, API security has become increasingly important. 

APIs work as the backend framework for mobile and web applications. Crucial and sensitive data is transferred between users, APIs, and applications and systems. Therefore, it is important to protect the sensitive data they transfer. 

According to the report 'Quantifying the Cost of API Insecurity' published this week by application-security firm Imperva and risk-strategy firm Marsh McLennan – cybersecurity issues would grow as APIs continue to become a common pattern for cloud and mobile devices.

"The growing security risks associated with APIs correlate with the proliferation of APIs. The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs," says Lebin Cheng, vice president of API security for Imperva. 

Further, in Asia, more than 100 combined API security incidents occurred, and in the US more than 600 API security events. To prevent this, companies have to gain visibility into how they are using APIs and create a complete inventory of the API traffic in their network.

Google Strengthens Android Security With a New Set of Dev Policy Updates


Google has announced several important policy changes for Android app developers that will improve the security of users, Google Play, and the apps available through the service. 
These new developer requirements will be in effect from May 11th through November 1st, 2022, allowing developers plenty of time to adjust. The following are the most important policy changes related to cybersecurity and fraud that will be implemented: 
  • New API level target requirements.
  • Banning of loan apps whose Annual Percentage Rate (APR) is 36% or higher.
  • Prohibiting the abuse of the Accessibility API.
  • New policy changes for the permission to install packages from external sources.
All newly released/published apps must target an Android API level released within one year of the most recent major Android version release starting November 1, 2022. Those who do not comply with this criterion will have their apps banned from the Play Store, Android's official app store. 

Existing apps that do not target an API level within two years of the most recent major Android version will be eliminated from the Play Store and become undiscoverable. This change is intended to compel app developers to follow the tougher API regulations that underpin newer Android releases, such as better permission management and revoking, notification anti-hijacking, data privacy enhancements, phishing detection, splash screen limits, and other features. 

According to Google's blog article on the new policy: "users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer." 

App developers who require extra time to migrate to more recent API levels can request a six-month extension, albeit this is not guaranteed. Many outdated apps will be forced to adopt better secure methods as a result of this policy change. 

Accessibility API abuse

The Accessibility API for Android enables developers to design apps that are accessible to people with disabilities, enabling the creation of new ways to operate the device using its applications. However, malware frequently exploits this capability to do actions on an Android smartphone without the user's permission or knowledge. As noted below, Google's new policies further restrict how this policy can be applied: 
  • Change user settings without their permission or prevent the ability for users to disable or uninstall any app or service unless authorized by a parent or guardian through a parental control app or by authorized administrators through enterprise management software; 
  • Workaround Android built-in privacy controls and notifications; or
  • Change or leverage the user interface deceptively or otherwise violates Google Play Developer Policies.
Google has also released a policy change that tightens the "REQUEST INSTALL PACKAGES" permission. Many malicious software publishers hide package-fetching technology that downloads malicious modules after installation to have their submission accepted on the Play Store. Users interpret these activities as "request to update" or "download new content," and they either authorise the action when presented with the corresponding prompt or don't notice because it occurs in the background. 

Google aims to narrow this loophole by imposing new permission requirements, bringing light to an area that was previously unregulated. Apps that use this permission must now only fetch digitally signed packages, and self-updates, code modifications, or bundling of APKs in the asset file will still require the user's authorization. For all apps using API level 25 (Android 7.1) or higher, the new REQUEST INSTALL PACKAGES policies will enter into force on July 11th, 2022.

To Mimic Microsoft, Phishing Employs Azure Static Web Pages


Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the * wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by subdomain and genuine TLS certificate.

Ukrainian Researcher Released  Software for Conti Ransomware


Conti, the notorious ransomware gang, is now the subject of cyberattacks following its proclamation early last week, it wholeheartedly supports Russia's continuing invasion of neighboring Ukraine, with the most recent blow being the public release of its source code. 

This comes only days after an archive comprising well over a year's worth of instant conversations between members of Conti, believed to be based in Russia, was leaked: speaking 400 files and tens of thousands of lines of Russian-language internal chat logs. Messages from January 2021 to February 27 of such a year can be found in the internal communication files.

Its analysis cited a cybersecurity bulletin issued jointly by the Cybercrime and Infrastructure Agency (CISA) and the FBI over the weekend, which warned Russia's attack on Ukraine – which also included cyberattacks on the Ukrainian government and key infrastructure organizations – could spill over Ukraine's borders, especially in the wake of US and allied sanctions. 

Throughout the night, ContiLeaks began publishing more information, including the source code for the gang's administration panel, the BazarBackdoor API, storage server screenshots, and more. A password-protected folder including the source code for the Conti ransomware encryptor, decryptor, and function Object() { [native code] } was one component of the release to get people interested.While the leaker did not reveal the password publicly, another researcher cracked it soon after, giving everyone access to the Conti ransomware malware files' source code. 

The code may not provide more information if you are a reverse engineer. For those who can program in C but not reverse engineer, the source code contains a wealth of information about how the malware operates. While this is beneficial for security research, having this code available to the public has its pitfalls. Threat actors immediately coopt the code to establish their own operations, as we observed when the HiddenTear (for "educational purposes") and Babuk malware source code was leaked. 

In May, the FBI issued a five-page [PDF] warning to American firms about Conti ransomware assaults on healthcare and first-responder networks, citing at least 16 such attacks by Conti in the previous year and ransom demands as high as $25 million. 

"As a result of Russia's invasion, cybercrime organizations such as Conti have taken sides, with the assumption that many of these organizations are linked to Russia and perhaps to Russian intelligence", Brett Callow, a vulnerability analyst at Emsisoft, a cybersecurity firm based in New Zealand, stated.

Mac Coinminer Employs a Novel Approach to Mask Its Traffic


A Mac coinminer has been discovered exploiting customizable open-source software to enhance its malicious activity. This sample incorporates a variety of altered open-source elements which the malicious actor customized to fulfill the agenda. The sample was indeed discovered concealing its network traffic with i2pd (called I2P Daemon). The Invisible Internet Protocol, or I2P client, is constructed in C++ by I2pd. I2P is a worldwide anonymous network layer which enables anonymous end-to-end encrypted communication without revealing the participants' real IP addresses. 

Coinminer is the major malware sample which has been found. MacOS. MALXMR.H is a Mach-O file which was also identified by numerous vendors because it includes XMRig-related strings as sourcing tools like Yara. Its accessibility makes, XMRig to be often utilized by other viruses to execute crypto mining. 

The primary Mach-O sample was discovered to be ad hoc-signed. This indicates the Mach-O binary is difficult to run on Mac systems, and Gatekeeper, a built-in security mechanism for macOS which enforces code signing, may prohibit it. 

The Mach-O sample is suspected to have arrived in a DMG (an Apple image format for compressing installations) of Adobe Photoshop CC 2019 v20.0.6. Apparently, the parent file could not be located. The piece of code was identified in one of its discarded files, which led to the conclusion. The sample attempts to create a non-existent file in the /Volumes path in this code. It's worth noting when double-tapping DMG files on macOS, they get automatically mounted in the /Volumes directory. 

Several embedded Mach-O files were discovered in the core Mach-O sample (detected as Coinminer.MacOS.MALXMR.H). It uses the API to elevate rights by enabling the user for authentication when it is performed. The following files have been deposited into the system by the sample:
  •  /tmp/lauth /usr/local/bin/com.adobe.acc.localhost
  •  /usr/local/bin/
  •  /usr/local/bin/com.adobe.acc.installer.v1 

As per Trend Micro, the sample used the auth file for persistence. The Mach-O file is in charge of creating the persistence files for the malware:

"The file is an XMRig command-line app which has been modified. When launching the app, enter help or version in the variables to see what it's about. The help argument displays a list and overview of the parameters which can be utilized, whereas the version parameter reveals the version of the XMRig binary," according to the experts.

It is suggested to update the products and keep up with the latest patterns. Users should avoid downloading apps from shady websites and exercise excellent digital hygiene.

Brave Disabled a Chrome Extension Linked to Facebook Users


Last week, security analyst Zach Edwards stated how Brave had restricted the L.O.C. Chrome extension citing concerns it leaked the user's Facebook information to the third server without warning or authorization prompt. An access token used by L.O.C. was obtained easily from Facebook's Creator Studio online app. After retrieving this token — a text thread made up of 192 alphanumeric characters – from the apps, the chrome extensions can use it with Facebook's Graph API to get data about the signed-in user without being a Facebook-approved third-party app. 

The concern is whether this type of data access could be exploited. Without the user's knowledge, an extension using this token could, copy the user's file and transmit it to a remote server. It might also save the user's name and email address and use it to track them across websites. According to a Brave official, the business is working with the programmer to make certain changes — most likely an alert or permission prompt – to ensure the extension is appropriate in terms of privacy and security. 

In September 2018, Facebook announced a security breach impacting nearly 50 million profiles, it blamed criminals for stealing access tokens supplied by its "View As" function, allowing users to see how the profiles appear to others." They were able to steal Facebook access tokens, which subsequently used to take over people's accounts," said Guy Rosen, Meta's VP of Integrity.

Cambridge Analytica accessed people's Facebook profiles using a third-party quiz app which was linked to the social media platform. One would assume a quiz app won't disclose your Facebook profile information with others, and a Chrome extension won't do the same. Despite Facebook's assurances, some steps must be taken to prevent a repetition of the Cambridge Analytica scandal, the Creators Studio access tokens in the hands of a malicious and widely used Chrome extension might lead to a rerun of history. 

Part of the problem is Google's Chrome extensions seem easy to corrupt or exploit, and Meta, aside from reporting the matter to Google, has no immediate ability to block the deployment of extensions which abuse its Graph API. The Creator Studio token is detailed to the user's session, according to a Meta representative, meaning it will terminate if the extension user signs out of Facebook. And, if the token hasn't been transferred to the extension developer's server, as looks to be the situation with the L.O.C. extension, uninstalling it will also result in the token expiring. 

Meta has asked Google to delete the extension from the Chrome Web Store once more and is looking into alternative options.

Facebook has Exposed a 'God Mode' Token that Might be Used to Harvest Data


Brave stated that it is prohibiting the installation of the popular Chrome extension L.O.C. because it exposes users' Facebook data to potential theft. "If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data," explained Francois Marier, a security engineer at Brave, in a post. "The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued." 

Loc Mai, the extension's developer, stated in an email that the Graph API on Facebook requires a user's access token to function. The extension sends a GET request to Creator Studio for Facebook to receive the token, which allows users of the extension to automate the processing of their own Facebook data, such as downloading messages. The request returns an access token to the extension for the logged-in Facebook user, allowing additional programmatic interactions with Facebook data. 

Zach Edwards, a security researcher, said, "Facebook faced nearly an identical scandal in 2018 when 50 million Facebook accounts were scrapped due to a token exposure." Nonetheless, Facebook appears to regard this data dispensing token as a feature rather than a bug. 

According to Mai, his extension does not harvest information, as stated in the extension's privacy policy. Currently, the extension has over 700,000 users. "The extension does not collect the user's data unless the user becomes a Premium user, and the only thing it collects is UID – which is unique to each person," explained Mai. 

As per Mai, the extension saves the token locally under localStorage.touch. This is a security concern but is not evidence of wrongdoing. L.O.C. is still available on the Chrome Web Store. A malicious developer, on the other hand, might harvest Facebook data using the same access technique, because Facebook is releasing a plain-text token that grants "god mode," as Edwards describes it. 

According to Edwards, Facebook's Terms of Service fall short in this regard because, while the company requires individuals to utilize its app platform, it does not prohibit people from utilizing browser extensions. 

This loophole, which exposes user data, is exacerbated by the way Chrome extensions now work. According to Edwards, Chrome extensions can seek authorization on one domain you control and another you don't, and then open a browser tab upon installation to scrape API tokens and session IDs for various types of apps.

Forged Kubernetes Apps is used to Extract Sensitive Data from Argo CD Setups


Argo CD is among the most popular Kubernetes continuous deployment technologies. Besides being easy to operate, it has a lot of power too. Kubernetes GitOps is the first tool that comes to mind. For cluster bootstrapping, Argo CD uses the App of Apps pattern.

Instead of manually developing each Argo CD app, we can make it programmatically and automatically. The idea is simple: make a single Argo CD application that looks for a git repo directory and puts all of the Argo CD application configuration files there. As a result, whenever an application definition file is created on the git repo location, the Argo CD application is immediately produced. Inspiringly, any Kubernetes object, including Argo CD, can be generated or handled. 

Apiiro's Security Research team discovered a vulnerability scanning supply chain 0-day vulnerability (CVE-2022-24348) in Argo CD, another famous open source Continuous Delivery platform, which allows attackers to access sensitive data like secrets, passwords, and API keys. 

Argo CD organizes and instigates the operation and monitoring of post-integration application deployment. A user can create a new deployment pipeline by specifying an Archive or a Kubernetes Helm Chart file which contains:
  • The metadata and data required to deploy the correct Kubernetes setup.
  • The ability to update the cloud setup dynamically as the manifest is changed. 

A Helm Infographic is a YAML document that has multiple fields which constitute a declaration of assets and configurations required for an application to be deployed. File names and indirect paths to self-contained software sections in other files are one form of value that can be found in the application in question. 

In reality, Argo CD contributors predicted as this type of exploitation will be available in 2019 and designed a dedicated framework to facilitate it. The vulnerability has two consequences: 

First, the direct consequences of reading contents from other files on the repository, which may contain sensitive data. The aforementioned can have a significant influence on a company. 

Second, because application files typically contain a variety of transitive values of secrets, tokens, and environmentally sensitive settings, the attacker can effectively use this to expand the campaign by moving laterally through different services and escalating the privileges to gain more ground on the system and target organization's resources. 

Argo CD-reposerver is a central server or pod where repositories are saved; apart from file architecture, there is no robust segmentation, hence the anti-path-traversal technique is a crucial component of file security. The mechanism's inner workings are mostly contained in a single source code file called util/security/path traversal.go, which details the systematic cleanup of origin path input.

The Cat and Mouse Chase of Account Takeovers

Cequence Security Threat Research Team analyzed more than 21 billion applications transactions between June and December of 2021, API-based account registration and login transactions raised by 92 percent and around 850 million. It highlights the fact that hackers cherish APIs as developers do. The same database that shows account takeover (ATO) attacks on login APIs grew by 62 percent. An ATO causes an end-user to panic, with getting messages like “you have received a password reset notification from your favorite retailer/social media/financial institution because your account has been compromised.” 

If you are ever hit by an ATO, you will probably not want to conduct business with the organization that is associated with the account. This affects businesses by causing them to lose valuable customers and also hits the profit bottom lines due to loss in sales, brand damage, and infrastructure cost overruns. ATO techniques have evolved over credential stuffing, which is a high-volume, generally used technique. ATO now includes slow and low attacks having specific usernames and passwords. It follows a pattern, for instance, attacks on organizations and employees having some social presence (recommendations, reviews, etc.). 

For these people, ATOs have become a constant problem, the goal here is not to steal sensitive information, but to use these hijacked accounts for amplifying negative or positive information. The patterns observed in these attacks have been seen earlier in varying forms in different customer environments. Bots go silent for a while but return to cause more damage. Noticing these bot behaviors suggested that botters work together by sharing ideas, studying unsafe vectors (deprecated APIs), to prepare for the next attack. 

A robust defense system will require continuous monitoring, reviewing of all endpoints- mobile and Web API, cooperation between safety and peers. "ATO is a problem that more and more organizations are facing as threat actors want to steal gift cards, access one-click purchasing, and dominate hype-sales to buy and resell the inventory. As we have seen through this analysis, the pace and vigor are on the rise. All organizations that have an authenticated application should consider monitoring for ATO, and build mitigations to ensure their customer satisfaction remains high," writes Jason Kent for Threat Post.

Kiteworks Leased Email Encryption Totemo


Kiteworks, the leading email encryption gateway supplier, regulates and secures vital digital content traveling within and out of global corporations, and used by hundreds of the largest multinational organizations in the German, Austrian, and Swiss markets. Kiteworks enables businesses to effectively manage risk and assure compliance with all the sensitive content sent, shared, received, and saved. 

This is accomplished using the Kiteworks platform, which unifies, tracks, controls, and secures all sensitive digital content communications sent through the platform via email, file share, managed file transfer, web forms, and application programming interfaces (APIs).

The totemo purchase expands the Kiteworks platform's email functionality beyond user or plug-in activation within the platform to the native mail client, offering automatic coverage of any sensitive digital content sent and received via email. 

Email content metadata on individuals, apps, devices, networks, protocols, and files will be centrally digested and normalized as totemo's technology will be integrated into the Kiteworks platform in the coming months. To limit the danger of private information being exposed and to meet regulatory compliance requirements, companies can establish centralized and comprehensive tracking and controls. 

Businesses that use this integrated intelligence will strengthen and expand the total cyber-defense strategy, extending privacy protection and compliance beyond the data center, cloud, and wide-area network (WAN) perimeters to third-party sensitive content communications. 

"Acquisition of totemo automates and extends the platform's email encryption with S/MIME, OpenPGP, and TLS protocols," explains Jonathan Yaron, Chairman and Chief Executive Officer of Kiteworks. The acquisition will have a major impact on the governance, compliance, and security industries. Customers may manage and regulate critical information that is distributed both internally and internationally using a mix of technologies from two industry leaders in content communications. 

Kiteworks' ability to allow customers to manage risk and meet regulatory requirements throughout their sensitive content communications infrastructure is strengthened by the synergy between the two businesses' product offerings.

Enterprise-ready, end-to-end encryption and automatic conversion across a wide range of encryption protocols are added to the Kiteworks platform by totemo. No other provider can match this set of skills, much alone the associated business benefits like compliance, risk mitigation, and operational efficiency. 

The conclusion is that businesses must do more to safeguard their sensitive data. CIOs, CISOs, and risk and compliance managers are under increasing pressure to secure sensitive data and demonstrate regulatory compliance while reducing friction in employees' day-to-day procedures. It must safeguard content when it is at rest, in transit, and in use. 

It also needs to safeguard content during file transfers and file sharing, within APIs, and on web forms, in addition to email. Totemo's email encryption gateway technology will be integrated into the Kiteworks platform, resulting in the most comprehensive private content communications governance, compliance, and risk protection available in the market.

SEGA's Europe Security : AWS S3 Bucket Exposed Provides Steam API Access


During a cloud-security assessment, SEGA Europe discovered that critical data was being kept in an unsecured Amazon Web Services (AWS) S3 bucket, and it's sharing the story to encourage other companies to double-check their own systems. VPN Overview researcher Aaron Phillips collaborated with SEGA Europe to protect the leaked data. SEGA's revelation, according to Phillips, is designed to assist the broader cybersecurity community in improving their own defenses.

The unsecured S3 bucket may be used to access user data, including information on thousands of members of the Football Manager forums at The following are the issues that have been detected in SEGA Europe's Amazon cloud: 

  • Developer key for Steam 
  • RSA keys are a type of cryptography. 
  • PII and passwords that have been hashed 
  • API key for MailChimp 
  • Credentials for Amazon Web Services 

Sensitive data in hands of a malicious actor could be disastrous for any company, but as Lookout's Hank Schless explained to Threatpost, gaming companies continue to be of particular interest to attackers. To threat actors, gaming firms hold a gold mine of personal data, development information, proprietary code, and payment information. Gaming firms must ensure that their data is protected while consumers from all over the world play their games, thanks to data privacy rules like the CCPA and GDPR.

Indeed, well-known brands like Steam, Among Us, Riot Games, and others have been hacked and utilized to deceive innocent gamers. There is no evidence that malevolent third parties had previously accessed sensitive data or exploited any of the disclosed vulnerabilities, according to the security firm. Researchers were able to upload files, run scripts, edit existing web pages, and change the settings of critically susceptible SEGA domains, according to the researchers.,,,, and are among the affected sites. The domain authority scores of several of the afflicted domains are high. 

This cybersecurity research should serve as a wake-up call for enterprises to evaluate their cloud security procedures. The researchers are hoping that more companies follow SEGA's lead in researching and addressing known vulnerabilities before fraudsters use them. There is no evidence that malevolent third parties had previously accessed sensitive data or exploited any of the disclosed vulnerabilities, according to the security firm.

Web Applications Attacks are on the Rise


Imperva Research Labs discovered that attacks are increasing by 22% per quarter in a survey of approximately 4.7 million web application-related cyber security incidents. Worryingly, the pace of increase in such attacks has continued to rise, with a 67.9% increase from Q2 2021 to Q3. One of the most noticeable rises was in Remote Code Execution (RCE) / Remote File Inclusion (RFI) assaults, which increased by 271%. RCE / RFI attacks are used by hackers to steal information, compromise servers, or even take over websites and manipulate their content. 

“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” said Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems. “The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones, and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.” 

As a result of the growth in web app attacks, there has been a significant increase in data breaches. Imperva Research Labs discovered earlier this year that online applications are the source of 50% of all data breaches. With the frequency of breaches increasing by 30% each year and the number of records stolen increasing by an astounding 224%, it is anticipated that 40 billion records will be compromised by the end of 2021, with web application vulnerabilities expected to be responsible for roughly 20 billion. 

“The pandemic placed immense urgency on businesses to get all kinds of digital transformation projects live as quickly as possible, and that is almost certainly a driving factor behind this surge in attacks,” says Peter Klimek, Director of Technology at Imperva. 

The changing nature of application development is also extremely important. Developments such as the rapid growth of APIs and the shift to cloud-native computing are advantageous to DevOps, but these changes in application architecture and the accompanying increased attack surface are making security teams' tasks much harder, according to Peter. 

During the pandemic, losses from fraud and cybercrime have spiraled out of control, with the National Fraud Intelligence Bureau estimating that over £1.3 billion was lost in the first half of 2021 alone, more than three times the amount lost in the same period in 2020. These estimates indicate that the problem will increase during 2022.

The usual approach of the security team identifying vulnerabilities and the development team correcting them will not work; Dzihanau said that the feedback cycle must be swift and collaborative.

Slack API Exploited by Iranian Threat Actor to Attack Asian Airline


According to IBM Security X-Force, the Iran-linked advanced persistent threat (APT) attacker MuddyWater has been discovered establishing a backdoor that exploits Slack on the network of an Asian airline. 

The hacking gang, also known as MERCURY, Seedworm, Static Kitten, and ITG17, predominantly targets throughout the Middle East and other regions of Asia. 

MuddyWater successfully infiltrated the networks of an undisclosed Asian airline in October 2019, according to IBM X-Force, with the detected activities continuing into 2021. 

According to IBM's security researchers, the adversary used a PowerShell backdoor named Aclip, which uses a Slack communication API for command and control (C&C) operations such as communication and data transmission. 

Provided that numerous different Iranian hacking groups got access to the very same victim's infrastructure in far too many cases, IBM X-Force suspects that the other adversaries were also associated in this operation, particularly considering that Iranian state-sponsored malicious actors have already been targeting the airline industry – primarily for monitoring purposes – for at least a half-decade. 

A Windows Registry Run key has been exploited in the observed event to permanently perform a batch script, which then runs a script file (the Aclip backdoor) using PowerShell. The malware could collect screenshots, acquire system information, and exfiltrate files after receiving commands via attacker-created Slack channels. 

The attacker guarantees that malicious traffic mixes in along with regular network traffic while using Slack for communication. Other virus groups have also leveraged the collaborative application for similar objectives. 

Following notification of the malicious activities, Slack initiated an investigation and removed the reported Slack workspaces. 

“We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” Slack said.

IBM's researchers are certain that the malicious actor is behind the activities based on custom tools used throughout the attack, TTP overlaps, used infrastructure, and MuddyWater's previous targeting of the transportation sector.

A URL Parsing Bug Left an Internal Google Cloud Project Open to SSRF Attacks


According to security researcher David Schütz, a URL parsing flaw exposed an internal Google Cloud project to server-side request forgery (SSRF) attacks. The bug, which Schütz detailed in a video and blog post, might have allowed an attacker to gain access to sensitive resources and perhaps launch harmful code.

Server-side request forgery is a web security flaw that allows an attacker to force a server-side application to send HTTP requests to any domain the attacker chooses. The attacker may cause the server to connect to internal-only services within the organization's infrastructure in a conventional SSRF attack. They may also be able to force the server to connect to arbitrary external systems, exposing sensitive data such as authorization credentials. 

Unauthorized activities or access to data within the company can often arise from a successful SSRF attack, either in the vulnerable application itself or on other back-end systems with which the programme can interface. The SSRF vulnerability could allow an attacker to execute arbitrary commands in some circumstances. An SSRF vulnerability that establishes connections with external third-party systems could lead to malicious attacks that appear to come from the company that hosts the vulnerable application. 

While researching Discovery Documents, data structures that give specifications for Google API services, Schütz discovered the problem. While looking through the Discovery Documents, Schütz came upon an intriguing service named Jobs API, which had the appearance of being an internal service. The Jobs API led him to an application on the Google App Engine that acted as a proxy, allowing him to access the API through Google's public product marketing pages. The proxy acted as an intermediate between the user and the API, which meant it had an access token that could be used to launch SSRF attacks. 

Request URLs were run via a whitelist to restrict access to internal Google resources. Schütz, however, was able to fool the URL parser and bypass the whitelist, allowing him to send requests to any server he wanted. This allowed him to send requests from the proxy app to a Google Cloud VPS server. The request revealed the proxy app's access token, which he could then use to send requests to other Google Cloud projects.

“This issue feels like an industry-wide problem since different applications are parsing URLs based on different specifications,” Schütz said. “After disclosing the initial issue in the Google JS library, I have already seen this getting fixed in products from different companies as well. Even though, this issue still keeps popping up even at Google. This SSRF is a great example of it.”

Elastic Stack API Security Vulnerability Exposes Customer and System Data


The mis-implementation of Elastic Stack, a collection of open-source products that employ APIs for crucial data aggregation, search, and analytics capabilities, has resulted in severe vulnerabilities, according to a new analysis. Researchers from Salt Security uncovered flaws that allowed them to not only conduct attacks in which any user could extract critical customer and system data, but also to create a denial of service condition in which the system would become inaccessible. 

“Our latest API security research underscores how prevalent and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs observed the same architectural design mistakes in almost every environment that uses it,” said Roey Eliyahu, co-founder and CEO, Salt Security. “The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk.” 

The vulnerability was originally detected while safeguarding one of their customers, a huge online business-to-consumer platform that provides API-based mobile applications and software as a service to millions of consumers around the world, according to the researchers. 

 Officials at Salt Security were eager to point out that this isn't a flaw in Elastic Stack itself, but rather a problem with how it's being deployed. According to Salt Security's technical evangelist Michael Isbitski, the vulnerability isn't due to a fault in Elastic's software, but rather to "a common risky implementation set up by users." 

"The lack of awareness around potential misconfigurations, mis-implementations, and cluster exposures is largely a community issue that can be solved only through research and education," Isbitski said. API threats have increased 348% in the last six months, according to the Salt Security State of API Security Report, Q3 2021. The development of business-critical APIs, combined with the advent of exploitable vulnerabilities, reveals the substantial security flaws that occur from the integration of third-party apps and services.

The impact of the Elastic Stack design implementation flaws rises considerably when an attacker chains together multiple attacks, according to Salt Labs researchers. Attackers can use the lack of authorization between front-end and back-end services to establish a working user account with basic permission levels, then make educated assumptions about the schema of back-end data stores and inquire for data they aren't authorized to access. 

Salt Labs was able to gain access to a large amount of sensitive data, including account numbers and transaction confirmation numbers, as part of its research. Some of the sensitive information was also private and subject to GDPR regulations. Attackers could use this information to access other API-based features, such as the ability to book new services or cancel existing ones.