Search This Blog

Showing posts with label AWS. Show all posts

GitHub Supply Chain Attack Cloned Thousands of Repositories to Target Developers

 

GitHub, a code repository with more than 83 million developers, has been targeted in a supply chain attack.

The attack was unearthed earlier this week by software developer Stephen Lacy and involved a hacker cloning and adding malicious code to more than 35,000 GitHub repositories while keeping intact the code’s original source code. Nearly 40 percent (13,000) of the repositories compromised originated from a single organization, called “redhat-operator-ecosystem” on the site, a spoof of the RedHat openshift ecosystem. 

The cloned projects attempted to lure users to click on them by spoofing genuine user accounts, using names identical to the original project and legitimate-sounding firm names. 

The malicious code allowed the repositories to exfiltrate the environment variables containing sensitive data like Amazon AWS credentials, API keys, crypto keys, and a one-line backdoor. The malware also allowed remote hackers to execute arbitrary code on those systems that install/run the clones. 

The weaponized code could lead to developers accidentally downloading cloned code repositories that contain malicious code. If used in their applications, this would then lead them to expose their users to code that includes malware. 

Fortunately, Lacy thwarted the attack by removing the affected projects and organizations including Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned. 

According to security experts, cloning open-source code is common among developers. But, in this case, the hackers injected malicious code/links into genuine GitHub projects to target innocent users.

The methodology applied by hackers is identical to the approach unearthed by ReversingLabs last month, where typo-squatting packages were being picked up by GitHub-owned NPM, and then exfiltrated data from forms designed with the malicious packages. 

Additionally, the researchers identified more than two dozen infected packages, all cloning popular NPM packages, stretching back to December 2021. 

Thwarting supply chain attacks 

 GitHub has issued an advisory for guarding the code supply chain on its website. 

• For accounts employed for personal use as well as those used by organizations and enterprises, set up two-factor authentication. 
• Connect to GitHub using secure socket shell (SSH) keys. 
• For enterprises, centralize user authentication. 
• Design a vulnerability management program for dependencies which will allow them to have full visibility over any vulnerabilities the code they are using has. 
• Avoid using passwords or API keys within the source code. 
• Block vulnerable coding patterns by reviewing and examining all pull requests before merging.

Python Libraries Hacked AWS Data and Keys  

 

Sonatype researchers have found malicious Python packages that post your AWS credentials and user characteristics to a publicly accessible endpoint rather than just exploiting sensitive data. Some malicious packages with the Sonatypes are as follows:
  • loglib-modules — seems targeted at coders who are familiar with the authentic "loglib library."
  • pyg-modules — seems aimed at coders who are familiar with the basic "pyg" library.
  • Pygrata:Unknown target, pygrata-utils contains identically noxious code to that found in "loglib-modules." 
  • hkg-sol-utils: Unknown goal 

The anti-ransomware detection technology provided by Sonatype as part of Nexus platform products, such as Nexus Firewall, found these packages. Researchers found these packages to be harmful after further analysis, thus, out of precaution, they reported this to the PyPI security team, so these packages were withdrawn. "This kind of package either has code that reads and phishes your secrets or employs a dependency that does it”, according to an analysis by   Sonatype security researchers Jorge Cardona and Carlos Fernández. 

For instance, the malicious software in the packages "loglib-modules" and "pygrata-utils" enables the programs to gather AWS credentials, network interface data, and environment variables and ship them to a remote location. IAM role details for an EC2 cloud instance are reported to be returned using the URL 'hxxp:/169.254.169[.]254/latest/meta-data/iam/security-credentials/'. 

Unsettlingly, there are hundreds of endpoints holding this data. Since TXT files were not encrypted by any security measures, anyone with access to the internet could essentially access these credentials. It's vital to know that packages like "pygrata" depend on one of the two aforementioned modules rather than containing the code themselves. It is still unknown who the malicious actors are and what propels them. 
 
Users of Nexus Firewall are shielded 

If the stolen credentials posted online on purpose or as a result of bad opsec procedures? There isn't enough information available right now to rule out the possibility that this action is suspect, even if it is valid security testing as per researchers. This finding comes after the report last week of several malicious vendors, including the npm package "flame-vali," which repeatedly tried to disable Windows Defender before releasing a trojan.

The software supply chain will be safeguarded from the start thanks to Nexus Firewall instances that immediately quarantine any suspect components found by automated malware detection systems while a subjective evaluation by a researcher is being prepared.

AWS, and Alibaba Cloud was Attacked by Crypto Miners

 

An intel source recently provided Cisco Talos with modified versions of the TeamTNT cybercrime team's infected shell scripts, an earlier version of which was documented by Trend Micro. The malware creator modified these tools after learning that security experts had disclosed the prior version of its scripts. These scripts are intended primarily for Amazon Web Services (AWS), but they might also be used on-premise, in containers, or in other Linux instances. 

There are multiple TeamTNT payloads focusing on bitcoin mining, persistence, and lateral movement employing tactics like identifying and installing on with all Kubernetes pods in a local network, in addition to the primary credential stealer scripts. A script containing user credentials for the distribution system server and another with an API key which may allow remote access to a tmate shared login session is also included. Defense evasion functions aimed at defeating Alibaba cloud security technologies are included in some TeamTNT scripts.

When it comes to decision making obtaining credentials, the script looks for them in the following places and APIs: 

  • It attempts to obtain the string 'AWS' from /proc/*/environ from the Linux system environment variables. 
  • Obtaining the string 'AWS' from Docker environment variables with the command $(docker inspect $) (docker ps -q).
  • /home/.aws/credentials and /root/.aws/credentials are the default AWS CLI credential file locations.
While the query itself will not be caught by Cisco Secure Cloud Analytics, the alert "AWS Temporary Token Persistence" will detect later use of these credentials to generate further temporary credentials. Finally, the virus saves any credentials acquired by the preceding functions to the file "/var/tmp/TeamTNT AWS STEALER.txt" and uses cURL to transfer it to the URL http://chimaera[.]cc/in/AWS.php before deleting it. 

No CloudTrail, GuardDuty, or SCA events were generated when the script ran on the target EC2 instance for all network traffic was restricted by the VPC Security Group such as the script could not access TeamTNT's servers. 

The core of the defense impairment functions is directed against Alibaba Cloud Security's numerous agents, how, they also target Tencent Cloud Monitor and third-party BMC Helix Cloud Security, agents. While the bulk of malicious scripts targets AWS Elastic Compute Cloud (EC2) virtual machines, these bots are most typically detected running inside Alibaba Cloud Elastic Compute Service (ECS) or a Tencent Cloud VM. They could theoretically be put on a VM operating on AWS or any other service, but it would be unusual. TeamTNT makes no attempt to disable AWS CloudWatch, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other popular cloud security tools in the United States. 

The Alibaba defense damage routines have been retrieved and saved here from the script Kubernetes root payload 2.sh. Since static analysis of the defense impairment functions is problematic due to the presence of multiple Base64 encoded strings, those functions have been decrypted and placed back into the file ali-defense-impairment-base64-decoded.sh.txt. 

"Cybercriminals who have been exposed by security researchers should update those tools to keep functioning successfully," stated Darin Smith of Talos. 

The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been leveraged to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into existing attacks. To deploy the cryptocurrency miners, the exploitation efforts employ a unique web shell, but not before switching off the firewall and disabling other virtual currency miner processes.

Nanocore, Netwire, and AsyncRAT Distribution Campaigns Make Use of Public Cloud Infrastructure

 

Threat actors are actively leveraging Amazon and Microsoft public cloud services into their malicious campaigns in order to deliver commodity remote access trojans (RATs) such as Nanocore, Netwire, and AsyncRAT to drain sensitive information from compromised systems. The spear-phishing assaults, which began in October 2021, largely targeted companies in the United States, Canada, Italy, and Singapore, according to Cisco Talos researchers. 

These Remote Administration Tools (RATs) versions are loaded with features that allow them to take control of the victim's environment, execute arbitrary instructions remotely, and steal the victim's information. 

A phishing email with a malicious ZIP attachment serves as the initial infection vector. These ZIP archive files include an ISO image that contains a malicious loader in the form of JavaScript, a Windows batch file, or a Visual Basic script. When the initial script is run on the victim's machine, it connects to a download server to obtain the next step, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.

Using existing legitimate infrastructure to assist intrusions is increasingly becoming part of an attacker's playbook since it eliminates the need for the attacker to host their own servers and may also be used as a cloaking strategy to avoid detection by security solutions. 

Collaboration and communication applications such as Discord, Slack, and Telegram have found a home in many infection chains in recent months to hijack and exfiltrate data from victim machines. Cloud platform abuse is a tactical extension that attackers may utilize as the first step into a large array of networks. 

"There are several interesting aspects to this particular campaign, and it points to some of the things we commonly see used and abused by malicious actors," said Nick Biasini, head of outreach at Cisco Talos. "From the use of cloud infrastructure to host malware to the abuse of dynamic DNS for command-and-control (C2) activities. Additionally, the layers of obfuscation point to the current state of criminal cyber activities, where it takes lots of analysis to get down to the final payload and intentions of the attack."

The use of DuckDNS, a free dynamic DNS service, to generate malicious subdomains to deliver malware is also noteworthy, with some of the actor-controlled malicious subdomains resolving to the download server on Azure Cloud while other servers function as C2 for the RAT payloads.

"Malicious actors are opportunistic and will always be looking for new and inventive ways to both host malware and infect victims. The abuse of platforms such as Slack and Discord as well as the related cloud abuse are part of this pattern," Biasini concluded.

Dell and AWS Partner to Prevent Customer Data from Cyberattacks

 

Dell Technology has partnered with AWS (Amazon Web Services) to safeguard customer data from cyberattacks by incorporating Dell's cyber recovery solution to the AWS Marketplace with the release of Dell EMC PowerProtect Cyber Recovery for AWS. Outdated cybersecurity firms are finding it difficult to prevent against malware and cyberattacks. With an increase in with from home culture and remote work since past two years, cybersecurity throughout the internet and cloud platforms has become more sophisticated. 

During the same time, the number of ransomware, malware, and hacking attacks has risen drastically, with more than 33% of organizations suffering ransomware breaches. Even amateur threat actors use RaaS (ransomware as a service) platforms to execute efficient and sophisticated cyber attacks. Via the AWS Marketplace, consumers can easily buy and use air tight cyber vault from Dell, to help safeguard and separate data away from a ransomware attack. 

Dell EMC PowerProtect Cyber Recovery for AWS offers multiple levels of protection with a unique approach that helps AWS customers to start normal business task easily and without any fear after a ransomware attack. In a statement, Dell said "the solution moves a customer’s critical data away from the attack surface, physically and logically isolating it with a secure, automated operational air gap. Unlike standard backup solutions, this air gap locks down management interfaces, requiring separate security credentials and multi-factor authentication for access." 

Nowadays, organizations are adopting various IT infrastructures across the on-premises environment and public cloud, data safety solutions can help in robust data security. Dell EMC PowerProtect Cyber Recovery for AWS offers customers help via addressing the rising risks of ransomware and different cyberattacks. Dell VP of data protection product management, David Noy said "data is a strategic asset and protecting it against ransomware and other cyberattacks is critical for organizations to make informed decisions about their business and thrive in today’s digital economy."

Chimaera Toolkit Found on Thousands of Windows and Linux Systems Worldwide

 

AT&T's Alien Labs security branch has raised the alarm about a TeamTNT malware campaign that has gone almost totally undiscovered by anti-virus systems and is converting target machines into bitcoin miners, according to the company. TeamTNT, dubbed "one of the most active threat organizations since 2020" by Alien Labs researcher Ofer Caspi, is notorious for its exploitation - and misuse - of open-source security tools for anything from identifying susceptible targets to dumping remote-control shells. 

Last year, TeamTNT was discovered and linked to bitcoin mining malware being installed on susceptible Docker containers. Trend Micro discovered that the organization tries to steal AWS credentials in order to spread to other servers, while Cado Security discovered TeamTNT targeting Kubernetes installations more recently. 

The port scanner Masscan, libprocesshider software for running the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne are among TeamTNT's open-source tools. 

Palo Alto Networks' Unit 42 found Chimaera, a software repository that "highlights the expanding scope of TeamTNT operations within cloud environments as well as a target set for current and future operations," according to the company.

Now, AT&T's Alien Labs has shed additional light on Chimaera, claiming that it has been in use since July and is "responsible for thousands of infections globally" across Windows, Linux, AWS, Docker, and Kubernetes targets, all while eluding detection by anti-virus and anti-malware programmes. 

The usage of Lazagne, an open-source application developed with one goal in mind: collecting credentials from major browsers, is a significant element of the Chimaera toolkit. Another programme tries to find and exfiltrate Amazon Web Services (AWS) credentials, while an IRC bot serves as a command and control server.

"In this case, most of the used files that are placed on disk at some point lack a clear malicious purpose by themselves," Caspi told of the reason the malware could go undetected for so long. "The malicious processes injected into memory without touching the disk are harder to identify if they don't share indicators with previous malicious activity or perform any clearly malevolent activity." 

TeamTNT's primary objective is to mine Monero, a privacy-focused cryptocurrency, on victim hardware rather than harvesting credentials. "Mining cryptocurrency has always been TeamTNT's major goal," Caspi stated.

Vulnerability in Less.js Causes Website to Leak AWS Secret Keys

 

Cybersecurity researchers at Canadian firm Software Secured identified a critical flaw in Less.js, a widely used preprocessor language. According to the report published by the firm, the vulnerability could be exploited by threat actors to achieve remote code execution attacks.

Researchers report that Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites. In addition, the Less.js library supports plugins from remote sources using the @plugin syntax; these plugins must be written in JavaScript and will run when the Less code is interpreted.

Attackers can abuse this feature for remote attack deployment: “If less code is processed on the client-side, an inter-site scripting (XSS) attack could result, although its server-side execution can lead to remote code execution (RCE). All versions of Less with support for @plugin syntax are vulnerable to these scenarios. Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites,” says the report published by the firm Software Secured.

The report includes a proof of concept (PoC) and a real-world scenario exploitation demonstration in CodePen.io, a website for creating Less.js code snippets. The operators of this website were notified about this and a solution has already been developed to address this flaw. 

“The vulnerability requires certain conditions to be successful. An example vulnerable scenario might be a feature that accepts custom styling via Less code from a user. Once in a vulnerable configuration, it is straightforward to exploit the application. Buis said as far as he knows, Less has not patched the bug. The backtick behavior has been known for a while and there is configuration to mitigate in recent versions,” Jeremy Buis, writer of the blog post told The Daily Swig. 

“The plugin and @import (inline) behaviour hasn’t been written about before as far as we can tell. We reached out to the maintainers over a year ago where the bugs were acknowledged. Buis advised Less.js users to mitigate the risks by considering the following. Instead of Less code, allow regular CSS use instead. If Less support is required, then transpile the Less code on the client-side to avoid the threat of SSRF and RCE attacks,” Buis added.

Hackers Breached into Twilio's AWS; Company Confirms the Attack


In a recent cybersecurity breach incident, Twilio acknowledges that hackers breached into the company's cloud services (unsecured) and compromised its javascript SDK. The hackers modified the javascript that the company shares with the clients. Twilio, a famous cloud communications company, told a news agency about the incident, after an anonymous whistleblower had reported the issue to the agency. To summarise it all, a cybercriminal breached into Twilio's AWS (Amazon Web Services) S3 systems. It should be noted that the networks were unsecured and world-writable. The hacker modified the TaskRouter v1.20 SDK and attached some malicious codes designed to tell if the changes worked or not.


In response to the incident, Twilio says that the customer's privacy safety is the first and foremost concern for the company. Twilio confirms about the malware in the TaskRouter v1.20 SDK, and that it was the work of a 3rd party. The modification of the S3 bucket made the attack possible. According to Twilio, it immediately closed the S3 bucket after knowing the issue and has issued an inquiry into the incident. The company took roundabout 12 hours to deal with the issue. Currently, it has no proof if any of the customer accounts were stolen or not. However, it confirms that the hacker didn't break into the company's internal systems to modify coding or data.

 Twilio uses JavaScript SDK as a method to connect your business operations to its task router platforms. The company plans to publish a detailed report about the incident in a few days. However, a friendly suggestion to the users, if you have downloaded or installed an SDK copy, make sure that you have a legit copy.

 "Our investigation of the javascript that was added by the attacker leads us to believe that this attack was opportunistic because of the S3 bucket's misconfiguration. We believe that the attack was designed to serve malicious advertising to users on mobile devices," said Twilio to The Register as a response to the incident. It also says, "If you downloaded a copy of v1.20 of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00), you should re-download the SDK immediately and replace the old version with the one we currently serve."

Apple Plans to Expand Cloud-Based Services, Enters Cloud Computing Space


Apple is planning to invest more in streamlines and increasing its cloud-based and software services like iCloud, Newsplus, and Apple Music. The expansion will go along with devices like iPads, MacBooks, and iPhones. To be entirely sure about the reliability of the cloud-based service on all the Apple devices, the company has decided to rely on AWS (Amazon Web Services) and the cloud division. AWS, as you might know, is a subunit of Amazon that offers cloud-space solutions. According to CNBC's findings, Apple is said to pay Amazon $30 Million monthly for its cloud-based services. It also means that Apple is one of the biggest customers of AWS.


Nevertheless, Apple hasn't confirmed whether it uses Amazon's cloud services besides its iCloud. According to experts, Apple also has some of its cloud services on Google. Amazon transformed the management of the data center and hosting of the applications when it brought the AWS. Being the first one to offer services like these, AWS is currently ranked top in the world of cloud hosting. Since recent times, Google Cloud and MS Azure are also trying to increase their presence in cloud-space services.

"As a matter of fact, AWS crossed the $10 billion quarterly revenue mark in Q1 2020, bringing in revenue of $10.2 billion with a growth rate of 33%. AWS accounted for about 13.5% of Amazon's total revenue for the quarter, which is on the higher end. Google Cloud, which includes Google Cloud Project (GCP) and G-Suite, generated $2.78 billion in revenue in the first quarter this year, which marked as a 52% increase over the same quarter a year ago. Microsoft does not reveal Azure revenue, but it announced that its Azure revenue grew by 59% in Q1 2020 over the same quarter a year ago," says Taarini Kaur Dang from Forbes.

As it seems, Apple knows the importance of the high-end cloud support needed for offering the best services to its customers. Similar to other tech biggies, Apple has its cloud space team called ACI (Apple Cloud Infrastructure). Noticing Apple's recent advancements, it is fair to believe that Apple might revolutionize the cloud-space world.

Hackers Attack Amazon Web Services Server


A group of sophisticated hackers slammed Amazon Web Services (AWS) servers. The hackers established a rootkit that let them manually command the servers and directed sensitive stolen corporate date to its home servers C2 (command and control). The attackers breached a variety of Windows and Linux OS within the AWS data center. A recent report published by Sophos (from Britain) last week has raised doubts and suspicions among the cybersecurity industry.


According to Sophos reports, the hackers were able to avoid Amazon Web Services SG (security groups) easily. Security Groups are supposed to work as a security check to ensure that no malicious actor ever breaches the EC2 instance (it is a virtual server used by AWS to run the application). The anonymous victim of this attack had already set up a perfectly tuned SG. But due to the rootkit installed in AWS servers, the hackers obtained remote access meanwhile the Linux OS was still looking for inbound connections, and that is when Sophos intervened. Sophos said that the victim could have been anyone, not just the AWS.

The problem was not with AWS, this piggybacking method could have breached any firewall, if not all. According to cybersecurity experts' conclusion, the hackers are likely to be state-sponsored. The incident is named as "Cloud Snooper." A cybersecurity expert even termed it as a beautiful piece of work (from a technical POV). These things happen all the time, it only came to notice because it happened with a fancy organization, he says. There are still unanswered questions about the hack, but the most important one that how the hackers were able to manage this attack is cleared.

About the attack 

“An analysis of this system revealed the presence of a rootkit that granted the malware’s operators the ability to remotely control the server through the AWS SGs. But this rootkit’s capabilities are not limited to doing this in the Amazon cloud: It also could be used to communicate with, and remotely control, malware on any server behind any boundary firewall, even an on-premises server. By unwinding other elements of this attack, we further identified other Linux hosts, infected with the same or a similar rootkit," said Sophos.