Search This Blog

Showing posts with label AWS S3. Show all posts

PyPl Hosting Malware and AWS Keys 


The Python package repository PyPI was discovered to be hosting malware and AWS keys. Tom Forbes, a software developer, created a Rust-based application that searched all new PyPI packages for AWS API keys. The tool returned 57 successful results, some from Louisiana University, Stanford, Portland, Amazon, Intel, and Stanford.

Forbes explains that his scanner searches for AWS keys in fresh releases from PyPI, HexPM, and RubyGems on a recurring basis using GitHub Actions. If it does, it creates a report containing the pertinent information and commits it to the AWS-cred-scanner repository.

According to Forbes' article, "The report comprises the keys that have been found, as well as public link to the keys and additional metadata regarding the release." Github's Secret Scanning service engages because these keys have been uploaded to a public GitHub repository, alerting AWS that the keys have been compromised.

As per Forbes, "It relies on the specific rights granted to the key itself. Other keys I discovered in PyPI were root keys, which are equally permitted to perform any action. The key I discovered that was leaked by InfoSys in November had full admin access, meaning it can do anything. If these keys were stolen, an attacker would have unrestricted access to the associated AWS account."

He claimed that other keys might have more circumscribed but nonetheless excessive permissions. For instance, he claimed it frequently happens that a key meant to grant access to just one AWS S3 storage bucket has unintentionally been configured to give access to every S3 bucket connected to that account.

GitHub's automated key scanning, which includes keys in npm packages, is cited by Forbes as an effective tool. Expressions that GitHub employs to search for secrets are sensitive and cannot be made public. As a result, PyPI and other third parties are basically unable to leverage this decent infrastructure without providing all of the PyPI-published code to GitHub. Further, Forbes recommended that businesses carefully consider their security procedures.

Cybersecurity firm Phylum reported that it uncovered a remote access trojan dubbed pyrologin in a PyPI package in December. Last month, ReversingLabs, another security company, also discovered a malicious PyPI package: the malware was disguising itself as an SDK from SentinelOne, a different security company. And in November, W4SP malware was discovered in dozens of recently released PyPI packages.3,653 harmful code blocks were eliminated as a result of a large-scale malware culling carried out by PyPI in March 2021. 

As a result, AWS creates a support ticket to alert the guilty developer and implements a quarantine policy to reduce the risk of key misuse. However, the issue is that an unethical person might produce comparable scanning software with the intention of abusing and exploiting others. 

Civicom Data Breach Disclosed 8TB of Files


Civicom, a New York City-based company that provides audio, online videoconferencing, and market analysis services, has been discovered to be giving its customers access to a goldmine of personal and sensitive data. 

Civicom excels in virtual meetings over the internet, and the files contain audio and video recordings of private customer sessions. Unfortunately, the S3 bucket was left open to the public with no password or security verification, allowing everyone with knowledge on how to discover damaged databases to access the data.

"The greatest audio and web conferencing services on the world, webinar services, global marketing research services, top transcription/CRM entry provider, general transcription service and more online jury trials." according to the company's Homepage. 

It was caused by a misconfigured AWS S3 bucket, rather than attackers intentionally hacking into the system, as is usual of this type of data breach. There were four different datasets exposed as listed below:

  • Conferences on video.
  • Highlights that have been clipped. 
  • Recordings on audio.
  • Transcripts of Audio. 

Countless hours of video and audio recordings, as well as hundreds of written transcripts, reveal Civicom's clients' private chats. Several businesses are likely to have discussed the following topics during these discussions: 
  • Sensitive business information (perhaps includes market research calls). 
  • Confidential information. 
  • Properties of the mind. 
It is worth noting that a number of client companies have employees whose personal information is visible on the bucket. Employees of Civicom clients' PII which have been exposed include complete names and photos of the faces and bodies of staff. At the time of the event, the bucket was active and being updated, and it had been active since February 2018. The management of Civicom's bucket is not Amazon's responsibility, therefore this data leak is not Amazon's fault. 

Civicom exposed 8 gigabytes of records containing more than 100,000 files, according to the Website Planet Security Team, which discovered the database. This was due to one of Civicom's unencrypted Amazon S3 buckets. The AWS S3 bucket has been active since 2018, according to the Website Planet Security Team. 

On October 28th, 2021, the researchers discovered the vulnerability and notified Civicom of the situation on October 30th, 2021.  After three months, Civicom replied to Website Planet and retrieved the bucket on January 26th, 2022. Nonetheless, the good news is, the bucket is not accessible to the general public.

Ransomware Assaults on AWS' S3 Buckets Have Become More Likely


AWS is the most popular cloud service provider, with a solid reputation for security and dependability. Despite this, Ermetic's research demonstrates that identities pose a severe security concern and expose buckets to the risk of a ransomware attack. According to new research, 90% of S3 buckets are vulnerable to ransomware attack. 

Ermetic conducted the survey in order to better understand the security posture of AWS environments and their susceptibility to ransomware attacks, as well as to assist enterprises in identifying system flaws and mitigating risks. “Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” said Shai Morag, CEO of Ermetic. 

A stunning 70% of machines had permissions that might be exploited and were openly exposed to the internet. The privileges of third-party identities could be extended to admin level in 45% of situations. Furthermore, 80% of IAM Users had access credentials that had not been used in at least 180 days but were still active. 

According to Saumitra Das, Blue Hexagon CTO and Cofounder, this report emphasises the critical need to “detect threats” in the cloud rather than focusing solely on misconfigurations. According to research from the Cloud Security Alliance, even if misconfigurations in S3 buckets or IAM access keys have been inactive for a long time, it might take days, weeks, or even months for these to be discovered and remedied. 

 It also emphasises that ransomware is not just an on-premises issue; as the pandemic has increased cloud transfer of workloads, attackers and ransomware criminal operators have also accelerated cloud migration.  

Firms must monitor three things, according to Das, including runtime activity of identities; cloud storage, including read/write patterns, and network activity, which can assist companies determine when instances are exposed to the internet and their identities are misused.

According to the research, here are a few methods that organizations can take to protect their AWS S3 buckets from ransomware: 

 • Deploy Minimum Privilege - implement an authorization system that only allows identities to conduct their business functions with the bare minimum of entitlements, decreasing the possibility of ransomware infecting buckets. 

 • Reduce the risk of ransomware by following best practises to avoid/remove common problems that ransomware can use to steal identities and install malware. 

 • Use logging and monitoring tools like CloudTrail and CloudWatch to spot suspicious activity that can lead to early detection and response in the event of a ransomware attack.

Security Flaw in AWS S3 Possess Security Threat for Business Organizations


New security flaws have emerged in the AWS’ Amazon Simple Storage Service (S3) buckets which are now exposed via additional channels and APIs, which create new security loopholes allowing hackers to exploit. 

The flaw in cloud platforms has given threat actors an opportunity to steal data from various organizations. Several industries such as finance, fintech, retail, manufacturing, enterprise software, and more, have failed to implement the most efficient threat detection tools to ensure their data is properly secured in the cloud. The companies are essentially blind when it comes to files that originate from external sources, internal company assets, etc. 

In each scenario, the blend of file types may vary depending on the business, but most files fall under the high-risk category and should be properly examined. Content-borne risks include malware, ransomware, APTs, embedded malicious links, evasion attempts, and more which are well hidden in different file types including Word (.doc, .docm, .docx), Excel (.xls, .xlsx, .xlsm, etc.), PowerPoint (.ppt, .pptx, .pptm), Adobe (.pdf), archive files, text files, executables, and even email (.eml) files. 

Maor Hizkiev, CTO and co-founder of BitDam notes that the average office worker now spends up to 80% of their time collaborating with their managers and colleagues using collaboration tools such as instant messaging, Dropbox, Google Drive, or OneDrive, however, many collaboration tools lack adequate security.

Hence, modern threat detection tools are required to detect the threats and mitigate them quickly. Threat detection tools must be able to scan 100 percent of files dynamically and in a matter of seconds and should deliver high detection rates and low false positives. 

Previously, sandbox technology was used to scan the files but due to its slow nature companies were forced to be selective concerning which files to scan. This increases the risk for the infiltration of malicious content, and this is what attackers are exploiting. 

Security Recommendations 

Security analysts have advised organizations and business application providers to remain vigilant regarding their security and realize that S3 bucket security is a blind spot due to the changing use cases and data workflows. Meanwhile, they should also upgrade their threat detection tools.

Organizations should adopt the cloud-native solution which can easily scan 100 percent of their S3 content in seconds – both files and URLs at the CPU level. The cloud-native solution detects security loopholes by scanning the entire execution flow to identify malicious activity. Another important element that companies should consider is access to an incident response team. Organizations must be vigilant while selecting the right service for comprehensive S3 bucket protection at the speed and scale of their business.