Search This Blog

Showing posts with label Amazon. Show all posts

Amazon, Microsoft Cloud Leaks Highlight Lingering Misconfiguration Issues

 

A slew of household names has recently been accused of misconfigured cloud storage buckets overflowing with unencrypted data, shedding light on a cybersecurity problem that appears to have no solution. Anurag Sen, a security researcher, revealed just last week that an Amazon server had exposed data on Amazon Prime members' viewing habits. 

During the same time period, Thomson Reuters admitted that three misconfigured servers had exposed 3TB of data via public-facing ElasticSearch databases, according to Cybernews, which first reported the issues. And Microsoft admitted in mid-October that it had left an open misconfigured cloud endpoint that could have exposed customer data such as names, email addresses, email content, and phone numbers.

"The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability," Microsoft said in its statement on the misconfigured server. "We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints."

Indeed, rather than bugs, the leaks are driven by a range of misconfigurations, ranging from insecure read-and-write permissions to improper access lists and misconfigured policies, all of which could enable threat actors to access, copy, and potentially alter sensitive data from accessible data stores.

"The main concern with this kind of leak is the high impact, and that is why the threat actors go after misconfigured storage [servers] and buckets," says Ensar Şeker, CISO at SOCRadar, the cybersecurity firm that discovered the Microsoft issue. "Once they discover [the accessible data], the bucket might ... contain huge amounts of sensitive data for one tenant [or] numerous tenants."

According to Venafi, 81% of organizations have experienced a security incident related to their cloud services in the last 12 months, with nearly half (45%) experiencing at least four incidents. According to Sitaram Iyer, senior director of cloud-native solutions at Venafi, the increase in incidents is due to the increasing complexity of cloud-based and hybrid infrastructure, as well as a lack of visibility into that infrastructure.

"Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend," he says. "The increase in this trend is most often due to misconfiguration related to access controls: While only authorized users need to be allowed access to cloud storage, a simple mistake in configuration often enables [any] authenticated users to gain access."

Companies should monitor their cloud assets on a regular basis to detect when a datastore or storage bucket has been exposed to the public internet. Furthermore, using infrastructure-as-code (IaC) configuration files when deploying cloud storage not only automates deployments but also helps eliminate errors, according to data from Snyk, a maker of security services for the software supply chain.

According to the company, implementing IaC reduces cloud misconfigurations by 70%. The division of responsibilities between cloud providers and business customers remains an issue. While the customer is responsible for configuring cloud assets, Venafi's Iyer believes that the cloud service should make configuring cloud assets as simple as possible.

"Principle of least privilege must be adopted for every aspect of the data," he says. "Access to data must be provided as needed, with proper controls and authorization policies that tie it to a specific user or service account, and proper logging of access and notifications must be implemented."

An Amazon spokesperson told Dark Reading in a statement about the Prime Video case: "A Prime Video analytics server experienced a deployment error. This issue has been resolved, and no account information (including login or payment information) was compromised."

However, misconfiguration is not always the original sin; instead, a worker or developer will deploy a "shadow" server, a container or a storage bucket unknown to the IT department and thus unmanaged by the company.

Misconfigured storage has a long history of compromising security. The issue is frequently ranked among the top ten security issues in the popular Open Web Applications Security Project (OWASP) Top 10 security list. Security Misconfiguration rose to fifth place in 2021, from sixth place in 2017. Verizon Business' annual "Data Breach Investigations Report" also highlights the outsized impact of misconfigured cloud storage: In 2021, human errors accounted for 13% of all breaches.

Drizly Sued by FTC Over Data Breach Which Affected 2.5 Million Customers

According to claims that Drizly's security lapses resulted in a data breach that exposed the personal information of roughly 2.5 million customers, the Federal Trade Commission is taking legal action against the company and its CEO James Cory Rellas.

The FTC claims that the Uber-owned booze delivery business and its CEO, James Cory Rellas, were made aware of security concerns as early as 2018. The digital alcohol retailer Drizly and its CEO James Cory Rellas are being investigated by the Federal Trade Commission over claims that the company's security flaws caused a data breach that exposed the private data of around 2.5 million customers.

Drizly, an Uber subsidiary, runs an online marketplace where local shops can sell alcohol to customers who are of legal drinking age. The complaint alleges that Drizly gathered and stored users' email addresses, passwords, geolocation data, and postal addresses on Amazon Web Services (AWS) cloud computing service while negotiating deals.

According to the FTC, Drizly's lax security procedures, such as not forcing employees to utilize two-factor authentication for GitHub, where it stored login information, allowed those occurrences to occur. The FTC further notes that Drizly has no senior executive in charge of its security practice and did not restrict employees' access to consumers' personal information.

According to Samuel Levine, Director of the FTC's Bureau of Consumer Protection, "our proposed order against Drizly not only limits what the firm can retain and collect going ahead but also ensures the CEO suffers penalties for the company's negligence."

In its lawsuits and rulings, the FTC has been naming firm officials more frequently. As CEO of Drizly, Rellas was accused by the FTC of failing to appoint a senior executive to manage the security procedures. Companies may wish to make sure they hire a senior official in charge of security to help reduce the potential of individual liability for CEOs.

These draft orders will be published by the FTC soon, and the public will have 30 days to comment on them until the commission chooses whether to make them public.



RBI Employs Tokenization to Combat Breaches

 

The RBI, the central bank of India, is now prepared to impose card tokenization in India after permitting customers to link credit cards with UPI. In the midst of all of this, many users are perplexed as to what card tokenization actually is and why applications and websites advise users to safeguard their credit and debit cards following the RBI's new rules.
 
What is tokenization? 

Tokenization is the process of replacing actual card information with a special alternate code called a 'token,' which must be different for each card, token requester, and device, i.e. the organization that accepts customer requests for card tokenization and forwards them to the card network to produce a corresponding token.

Researchers are still quite aware of the data exposures from MobiKwik and Domino's India. As users can see, the data becomes vulnerable to data breaches and leaks if you store your private card information on the cloud servers of numerous such online apps and websites.

Although some websites might have the highest levels of security in place to protect user credit card information, others may not be adhering to international security requirements. Having credit card information being dispersed over several servers with varying levels of security gives hackers more access points. The RBI now wants to alter the current state of digital payments and standardize 'tokenization' to increase the security of all online card transactions.

In September 2021, the RBI ordered that card-on-file (CoF) tokenization be used instead of retailers holding client card information on their systems beginning January 1, 2022. In addition, businesses such as apps, websites, payment processors like RazorPay, or banks will no longer be responsible for safeguarding your card information. Tokenization is a technique the RBI developed to protect domestic card transactions by employing random strings of tokens rather than disclosing the user's personal card information.

Since the regulation on tokenization was published, according to Deputy Governor Sankar, the central bank has been in close contact with all stakeholders to guarantee a smooth transition to the tokenization policy.

How does tokenization work? 

The process of tokenizing cards is straightforward. When a card is chosen to be tokenized, the card network such as Visa, MasterCard, etc. issues the token with the bank's approval and gives it to the retailer. For example, when you save an SBI Visa debit card on Paytm by RBI's requirements, Visa will create the token with SBI's permission and share it with Paytm.

If you decide to save the identical credit or debit card on some other app, let's say Amazon, a new token will be issued and shared with Amazon. The token will vary based on the merchant and device, even if it's the same card. From a security standpoint, it implies the tokens are unique and discrete, which is beneficial.

Potential effects of tokenization

The RBI was forced to develop card tokenization as a result of the constant data leaks, thefts, and breaches that occur in the digital age. Not to add that the various security standards used by apps, websites, payment processors, and other middlemen compromise users' online security.

Tokenization has very little of an effect on the customer. Customers simply need to submit their card information once to receive a token. The process of tokenization will then be initiated by the merchant at no further cost or customer effort.

According to experts, there are no drawbacks to card tokenization from the perspective of the end-user. The RBI standards must be implemented by merchants and payment systems, but aside from that, consumers benefit.

Amazon Patches Ring Android App Flaw Exposing Camera Recordings

 

Amazon has patched a critical vulnerability in the Amazon Ring app for Android that could have enabled hackers to download saved camera recordings from customers. The flaw was discovered and disclosed to Amazon on May 1st, 2022 by security researchers at application security testing company Checkmarx, and it was fixed on May 27th. 

Because the Ring Android app has over 10 million downloads and is used by people all over the world, access to a customer's saved camera recordings could have enabled a wide range of malicious behaviour, from extortion to data theft. 

Checkmarx discovered an 'activity' that could be launched by any other app installed on the Android device while analysing the Ring Android app. An 'activity' on Android is a programme 0component that displays a screen that users can interact with to perform a specific action. When developing an Android app, you can expose that activity to other installed apps by including it in the app's manifest file.

Checkmarx discovered that the 'com.ringapp/com.ring.nh.deeplink.DeepLinkActivity' activity was exposed in the app's manifest, enabling any other install app to launch it.

"This activity would accept, load, and execute web content from any server, as long as the Intent's destination URI contained the string “/better-neighborhoods/”," explained a report by Checkmarx shared with BleepingComputer before publishing.

This meant they could start the activity and send it to an attacker-controlled web server to interact with it. However, only pages hosted on the ring.com or a2z.com domains were able to interact with the activity.

The Checkmarx researchers got around this restriction by discovering an XSS vulnerability on the https://cyberchef.schlarpc.people.a2z.com/ URL, which allowed them to compromise the system.

"With this cookie, it was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings." - Checkmarx.

With a working attack chain in place, the researchers could have exploited the vulnerability by developing and publishing a malicious app on Google Play or another site. Once a user was duped into installing the app, it would launch the attack and send the Ring customer's authentication cookies to the attackers.

Analyzing videos with machine learning

However, as a threat actor, what would you do with the massive amount of videos that you could gain access to by exploiting this vulnerability?

Checkmarx discovered that they could sift through the videos using the Amazon Rekognition service, an image and video analysis service. The service could use machine learning to find videos of celebrities, documents containing specific words, or even a password scribbled carelessly on a post-it note stuck to a monitor.

This information could then be relayed back to the threat actor, who could use it for extortion, network intrusion, or simply to be a voyeuristic observer. The good news is that Amazon quickly responded to Checkmarx's bug report and released a fix.

"It was a pleasure to collaborate so effectively with the Amazon team, who took ownership and were professional through the disclosure and remediation process," concluded the Checkmarx report.

"We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers' submission was processed. Based on our review, no customer information was exposed," Ring told BleepingComputer.

PYSA Ransomware Group: Experts Share In-Depth Details

 

Since August 2020, the cybercrime group adopted a five-stage system design, with the malware developers prioritizing enhancements to boost the efficiency of its activities, according to an 18-month examination of the PYSA ransomware operation. The GSOC explores the PYSA ransomware inside this Threat Analysis Report. Once the Federal Bureau of Investigation (FBI) informed of the ransomware's increased activity and significant harmful impact early this year, it became known as the PYSA ransomware. 

This includes a user-friendly tool, such as a full-text search engine, to make metadata extraction easier and allow threat actors to easily locate and access victim information. "The group is notorious for thoroughly researching high-value targets before unleashing its operations, compromising business systems, and forcing researchers to pay significant ransoms to retrieve sensitive data," stated PRODAFT, a Swiss cybersecurity firm, in a comprehensive report released last week. 

PYSA, which stands for "Protect Your System, Amigo" and is a descendant of the Mespinoza ransomware, was initially discovered in December 2019 and has since risen to become the third most common ransomware strain reported in the fourth quarter of 2021. The cybercriminal cell is thought to have exfiltrated confidential info linked to as many as 747 individuals since September 2020, until its databases were taken down earlier this January. 

The majority of its victims are in the United States and Europe, and the gang primarily targets the federal, medical, and educational sectors. "The United States was the most-affected country, contributing for 59.2 percent of all PYSA occurrences documented," Intel 471 stated in a review of ransomware assaults observed from October to December 2021. PYSA, like all other malware attacks, is renowned for using the "big game hunting" method of double ransom, which involves making the stolen data public if the victim refuses to comply with the firm's demands. 

Every relevant key is encrypted and assigned the ".pysa" extension, which can only be decoded with the RSA private key given after paying the fee. PYSA victims are claimed to have paid about 58 percent in digital payments to get access to protected data. PRODAFT was able to find a publicly accessible. git folder owned by PYSA operators and designated one of the project's writers as "dodo@mail.pcc," a danger actor based on the commit history thought to be situated in a country that observes daylight savings time.

As per the study, at least 11 accounts are in control of the whole operation, the mass of which was formed on January 8, 2021. However, four of these accounts — t1, t3, t4, and t5 — account for approximately 90% of activity on the management panel of the company. Other operational security failures committed by the group's members allowed a concealed system running on the TOR secrecy network — a server provider (Snel.com B.V.) based in the Netherlands — to be identified, providing insight into the actor's techniques. PYSA's infrastructure also includes dockerized containers for global leak servers, database servers, administrative servers, and an Amazon S3 cloud for storing the files, which total 31.47TB.

The panel is written in PHP 7.3.12 by using the Laravel framework and uses the Git version monitoring system to oversee the development process. Furthermore, the admin panel exposes several API endpoints that allow the system to display files, auto-generate GIFs, and scan data, which is used to group stolen victim data into broad categories for simple retrieval. Several or more potential threat groups spent nearly five months within the system of an undisclosed regional US government agency before delivering the LockBit ransomware malware at the start of the year, as per research from cybersecurity firm Sophos.

The Fodcha DDoS Botnet Hits Over 100 Victims

 

Qihoo 360 researchers have found a rapidly spreading new botnet called Fodcha which is capable of performing over 100 attacks every day. Employing this new malware, the threat actor is attacking routers, DVRs, and servers. The actors were able to infect nearly 62,000 machines with the Fodcha virus in less than a month, as per the researchers. 

360 Netlab reports that the number of unique IP addresses affiliated with the botnet fluctuates, as they are monitoring a 10,000-strong Fodcha army of bots utilizing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent ). 

Researchers alleged that "Based on firsthand data from the security industry with whom we collaborated, the frequency of live bots is more than 56000." "The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims are targeted daily." 

The Fodcha infects devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool. The botnet targets a variety of devices and services, including but not limited to: 

RCE for Android ADB Debug Server 
CVE-2021-22205 on GitLab 
CVE-2021-35394 in the Realtek Jungle SDK 
JAWS Webserver unverified shell command execution on MVPower DVR 
LILIN DVR RCE: LILIN DVR
TOTOLINK Routers: Backdoor TOTOLINK Routers
ZHONE Router: Web RCE ZHONE Router 

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha attackers use Crazyfia result data to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU platforms. 

The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the essential C2 domain. 

"The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha's operators with no alternative but to re-launch v2 and upgrade C2," the researchers reported. "The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India." It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others. 


Amazon's Bogus Crypto Token Investment Scam Robs Bitcoin off Users.

 

Investors are being misled into turning over Bitcoin in a new cryptocurrency fraud (BTC). Scams involving cryptocurrency and digital tokens have become commonplace, posing a risk to potential buyers. 

Exit scams, rug pulls, and theft are still common, despite the fact regulators throughout the world are cracking down on fraud through tax laws, securities offering registration, tougher restrictions governing cryptocurrency advertisements, and a careful check on initial coin offers (ICOs). The popularity of cryptocurrencies and NFTs continues to rise, creating breeding soil for new frauds to emerge on a regular basis.

Utilizing Amazon's branding to promote a bogus scheme entitled "Amazon to produce its digital token," cyber-criminals are luring users to give away private credentials from the first step of the scam campaign. 

According to Akamai experts, the ongoing cyberattack attempts have profited from the cryptocurrency hype, including scammers using a range of phishing methods based on false rumors. "This particular fraud preyed on consumers' fear of missing out on a special offer to participate in a new cryptocurrency opportunity". Furthermore, in 2021, according to Chainalysis, fraudsters have received around $14 billion in deposits.

Visitors were asked to purchase for the pre-sale tokens with users cryptocurrencies, such as Bitcoin (BTC) or Ethereum (ETH). However, as the tokens aren't real, the funds ended up in the hands of criminals. 

Another enticement is a referral programme that allows the attackers to increase the scope of the token fraud with no further effort. In all, mobile devices were used by the majority of visitors to the phoney token landing pages (98 percent). The distribution of mobile operating systems, however, favors Android handsets (56 percent), with Apple iOS coming in second (42 percent). North America, South America, and Asia account for the vast majority of victims.

To avoid being a victim of fraud like this, users are advised to take the following precautions: 

  •  Be wary of bitcoin marketing and social media posts. 
  •  Before submitting information and making a purchase, double-check URLs and websites. 
  •  Don't be fooled by high-pressure techniques like "flash sales," "just a few left," or "buy now."
  •  Look for legitimate sources while researching what to buy. 
  •  When you see scam ads or postings, report them so they can be removed from social media. 
  •  Be alert, and therefore don't believe everything. 
It's essential to avoid chatting with random commentators or accepting unsolicited invitations from strangers, especially now when social media-based communication is at its most over-used in the pandemic.

Due to a Vulnerability in the TLD Registrar's Website, Attackers May Have Modified the Nameservers

 

Due to a vulnerability in the TLD registrar's website, attackers may have changed the name-servers of any domain under Tonga's country code top-level domain (ccTLD), according to security researchers. With approximately 513 million results from a Google search for '.to' pages, the weakness provided potential miscreants with a plethora of potential targets for a variety of large-scale attacks. The Tonga Network Information Center (Tonic) was "extremely quick" in resolving the bug in under 24 hours after online security firm Palisade exposed the issue, following a pen test, on October 8, 2021, according to a Palisade blog post. 

Sam Curry and other Palisade researchers uncovered an SQL injection vulnerability on the registrant website, which could be used to gain plaintext DNS master passwords for.to domains. Once signed in, they may modify the DNS settings for these domains and redirect traffic to their own website. According to Curry, the attacker might then steal cookies and local browser storage and therefore access victim sessions, among other assaults. 

An attacker may send crafted accounts if they gained control of google.to, an official Google domain for redirects and OAuth authorization processes. OAuth is a popular authorization mechanism that allows websites and web applications to request limited access to another application's user account. Importantly, OAuth enables the user to authorize this access without revealing their login credentials to the requesting application. This implies that instead of handing over complete control of their account to a third party, users can fine-tune which data they want to disclose. 

The fundamental OAuth protocol is extensively used to integrate third-party functionality that requires access to certain data from a user's account. For example, an application may utilise OAuth to request access to your email contacts list in order to recommend individuals to connect with. The same approach, however, is also used to enable third-party authentication services, allowing users to log in with an account they have with another website. 

As with .io, .to domains are extensively used to generate short links that are used to reset user passwords, for affiliate marketing, and to drive users to company resources. Curry argued that link shortening services used by Amazon (amzn.to), Uber (ubr.to), and Verizon (vz.to) may have been misused by altering the '.to' pages to which these giant brands' tweets connected for their millions of Twitter followers. 

Curry speculated that attackers "could likely steal a very big amount of money" from customers of tether.to, the official platform for purchasing Tether stable coin - even if they "only owned this domain for a short period of time." However, Eric Gullichsen, administrator of the.to ccTLD, stated that “various security and monitoring and throttling systems we already had in place would have defeated many of the exploits used during the pen test, had the security researchers’ IP addresses not been whitelisted to enable their testing.”

Houdini Malware is Back, and Amazon Sidewalk has Affected Enterprise Risk Assessments

 

A secure access service edge (SASE) platform's nature allows it to see a significant number of internet data flows, and the larger the platform, the more dataflows can be evaluated. A review of over 263 billion network flows from Q2 2021 reveals rising dangers, new uses for old malware, and the expanding use of consumer devices in the workplace. 

According to the Cato Networks SASE Threat Research Report, a new version of the old Houdini malware is now being used to steal device information in order to circumvent access rules that looks at both the device and the user. Attackers have prioritized spoofing device IDs, which have evolved from simple point solutions to cloud-based services. As a result, verifying device identity has become critical for strong user authentication. 

The report also shows how Amazon Sidewalk and other consumer services run on many enterprise networks, making risk assessment difficult. “Cybersecurity risk assessment is based on visibility to threats as much as visibility to what is happening in the organization’s network,” says Etay Maor, senior director of security strategy at Cato Networks. 

Maor doubts that many firms would be comfortable with on-site networks that include a variety of home gadgets, including those that are automatically signed in by Sidewalk and belong to employees' neighbours. Just as concerning, he said, "How many companies are even aware that home devices have been brought into the corporate network and are sharing the corporate infrastructure." 

“With lines blurring between the home office and the corporate network – more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment,” Maor added. 

9.5 billion network scans were discovered across Cato's platforms in Q2. Maor is certain that the company's combination of AI-based danger identification and human help assures that these aren't researcher scans. Cato also discovered about 817 million security events caused by malware, as well as over 475 million events caused by incoming or outbound contact with domains with a negative reputation.  

There were nearly 400 million policy breaches, including 241 million vulnerability scans from scanners like OpenVAS, Nessus, and others that violated Cato's security policy or common best practices for network security. The most common exploit attempt (7,957,186 attempts) was against the CVE-2020-29047 vulnerability, a WordPress wp-hotel-booking vulnerability.

Kindle's E-book Vulnerability Could Have Been Exploited to Hijack a User's Device

 

Amazon patched a significant vulnerability in its Kindle e-book reader platform earlier this April, which could have been used to gain complete control of a user's device and steal sensitive data by simply deploying a malicious e-book. "By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information," Yaniv Balmas, head of cyber research at Check Point, said in an emailed statement. "The security vulnerabilities allow an attacker to target a very specific audience."

In other words, if a threat actor wanted to target a certain group of individuals or demographic, the adversary could tailor and coordinate a highly targeted cyber-attack using a popular e-book in a language or dialect widely spoken among the group.

Threat actors might readily target speakers of a specific language, according to Balmas. To target Romanians, for example, they would only need to publish a bestselling book in that language as an e-book. Because the majority of people who download that book will almost certainly speak Romanian, a hacker may be confident that nearly all of the victims will be Romanian. 

“That degree of specificity in offensive attack capabilities is very sought after in the cybercrime and cyber-espionage world. In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely,” Balmas said. 

Following a responsible disclosure of the problem to Amazon in February 2021, the retail and entertainment behemoth released a patch in April 2021 as part of its 5.13.5 edition of Kindle software. The flaw is exploited by sending a malicious e-book to an intended victim, who, upon opening the book, triggers the infection sequence without any interaction from the user, allowing the threat actor to delete the user's library, gain full access to the Amazon account, or turn the Kindle into a bot for striking other devices in the target's local network. 

The flaw is in the firmware's e-book parsing architecture, notably in the implementation of how PDF documents are opened, which allows a malicious payload to be executed on the device. 

"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks," Balmas said. "These IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon's Kindle."

New DNS Flaw Enables 'Nation-State Level Spying' on Companies

 

Researchers discovered a new category of DNS vulnerabilities hitting major DNS-as-a-Service (DNSaaS) providers, which may enable attackers to get access to sensitive data of company networks. 

DNSaaS providers (also referred to as managed DNS providers) rent DNS to other businesses who don't want to maintain and protect yet additional network resources on their own. 

These DNS vulnerabilities, as disclosed by cloud security firm Wiz researchers Shir Tamari and Ami Luttwak at the Black Hat security conference, grant threat actors nation-state intelligence harvesting powers with simple domain registration. 

As per the description, they simply created a domain and utilized it to hijack a DNSaaS provider's nameserver (in this instance, Amazon Route 53), permitting them to eavesdrop on dynamic DNS traffic streaming from Route 53 users' networks. 

The Wiz researchers stated, "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," 

"The dynamic DNS traffic we 'wiretapped' came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies." 

Employee/computer identities and locations and extremely sensitive data about organizations' infrastructure, such as Internet-exposed network equipment, were among the data they acquired this way. 

In one instance, the researchers used network data from 40,000 corporate endpoints to trace the office locations of one of the world's major services companies. The information gathered in this manner would make it much simpler for threat actors to compromise an organization's network since it would offer them a bird's eye perspective of what's going on within corporations and governments and provide them with "nation-state level surveillance capacity." 

The researchers haven't found any indication that the DNS flaw they identified has ever been exploited in the open, but they do warn that anybody with the expertise of the vulnerabilities and the abilities to exploit it might have gathered data undiscovered for over a decade. 

"The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration. Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable," they added at Black Hat. 

Patched by some, likely to affect others: 

Although two significant DNS providers (Google and Amazon) have already patched these DNS vulnerabilities, others are still likely prone, potentially exposing millions of devices to attacks. 

Moreover, it is unclear who is responsible for fixing this serious DNS flaw. Microsoft has previously informed Wiz that this is not a vulnerability since it could alter the dynamic DNS mechanism that permits Windows endpoints to leak internal network traffic to rogue DNS servers. 

Microsoft explained, this flaw as "a known misconfiguration that occurs when an organization works with external DNS resolvers." 

To minimize DNS conflicts and network difficulties, Redmond recommends utilizing distinct DNS names and zones for internal and external hosts and provides extensive guidance on how to correctly handle DNS dynamic updates in Windows. 

Maintained DNS providers can mitigate nameserver hijacking by adhering to the RFC's "reserved names" specification and checking and confirming domain ownership and validity before enabling their customers to register them. Companies renting DNS servers can also modify the default Start-of-Authority (SOA) record to stop internal network traffic from leaking via dynamic DNS updates.

CISA Partners with Leading Technology Providers for New Cybersecurity Initiative

 

As part of a new campaign aimed at improving the country's cyber defences, the US government has announced partnerships with Amazon, Microsoft, Google, and other major corporations. According to CISA Director Jen Easterly, the Joint Cyber Defense Collaborative, or JCDC, would strive to take a proactive approach to cyber defense in the wake of multiple high-profile breaches that damaged the federal government and the general public. 

The JCDC would initially focus on battling ransomware and other cyberattacks against cloud computing providers, according to a Wall Street Journal report, in order to avoid situations like the recent Kaseya supply-chain ransomware incident that occurred earlier this summer. 

“The industry partners that have agreed to work side-by-side with CISA and our interagency teammates share the same commitment to defending our country’s national critical functions from cyber intrusions, and the imagination to spark new solutions,” Easterly said in the statement. 

CISA will be able to integrate unique cyber capabilities across numerous federal departments, state and local governments, and private sector firms to achieve shared objectives due to the establishment of the JCDC. The new programme will also enable the public and commercial sectors to share information, coordinate defensive cyber operations, and participate in joint exercises to improve cyber defense operations in the United States. 

 Aside from AWS, Microsoft, and Google Cloud, the JCDC will collaborate with AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon. Meanwhile, the Department of Defense (DoD), US Cyber Command, the National Security Agency (NSA), the Department of Justice (DoJ), the FBI, and the Office of the Director of National Intelligence are among the government's partners. 

 Rep. Jim Langevin, D-RI, is a member of the Cyberspace Solarium Commission and a senior member of the House Committee on Homeland Security, said the JCDC is “exactly the kind of aggressive, forward-thinking we need to combat the ever-growing cyber threats that face our nation.” In a statement, Langevin said the JCDC “brings together our [Cyberspace Solarium Commission] recommendations about planning, intelligence fusion and cybersecurity operations in a visionary way.” 

 According to a Langevin aide, the Joint Cyber Defense Collaborative will house the Joint Planning Office, which Congress has authorised, as well as the Joint Collaborative Environment, if passed this year as politicians like Langevin hope.

Amazon Fined With EUR 746 Million By Luxembourg Over Data Protection

 

Amazon has been fined 746 million ($880 million) Euros by the Luxembourg government over data protection rules. Despite its powerful presence across the globe, the American multinational technology company that focuses on e-commerce, digital streaming, cloud computing, and artificial intelligence, has continued to make headlines for various reasons, at times even serious allegations. Interestingly, it also falls under the category of "frightful five" which is a name given to the five most valuable tech giants that collectively influence almost everything that happens in the tech world. Amazon has undoubtedly become an integral part of most households, not only just American but worldwide. In terms of power, Amazon is a leading player both economically and socially. 

According to authorities, Amazon broke the EU’s data protection rules. It is assumed that the fine that has been charged for a data protection violation is the largest since the passage of the regulation. 

The Luxembourg National Commission for Data Protection had issued a notice on July 16. In the wake of which, Amazon said in a securities filing, "Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation."

"We believe the CNPD's decision to be without merit and intend to defend ourselves vigorously in this matter," the company added, using the organization's French acronym. 

The Securities and Exchange Commission (SEC) document did not disclose any further technical details, but Amazon was sued by a European consumer group for using personal credentials for marketing purposes without authorization. Also, the Luxembourg agency declined to comment on further inquiries by saying that its investigations are confidential. 

Following the allegations, Amazon was already fined by French authorities 35 million Euros last year for not following laws on browser "cookies" that track users. Meanwhile, Google (another of "frightful five") had also been charged with a fine of 100 million Euros for similar data protection rules. Alongside, Facebook, yet another giant firm labeled under "frightful five" is also under investigation in Ireland for leaked data.

BEC Attacks have Stolen $1.8 Billion from Businesses

 

Business email compromise (BEC) attacks increased drastically in 2020, with more than $1.8 billion stolen from businesses in just one year. BEC attacks are carried out by hackers who impersonate someone inside a company or pose as a partner or vendor in order to defraud the company. 

The tactics of some of the most dangerous BEC attacks observed in the wild in 2020 were examined in a new report from Cisco's Talos Intelligence, which reminded the security community that smart users armed with a healthy skepticism of outside communications and the right questions to ask are the best line of defense, in addition to technology. 

According to the FBI, BEC assaults are getting more dangerous. They discovered a 136 % increase in the number of successful BEC attacks (reported) around the world between December 2016 and May 2018. Between October 2013 and May 2018, it is estimated that Business Email Compromise cost businesses over $12 billion. Analysts predict that these attacks will grow more regular and that the financial costs connected with them will continue to rise. 

The report stated, “The reality is, these types of emails and requests happen legitimately all over the world every day, which is what makes this such a challenge to stop.” It's tempting to get hooked up on huge global corporations' high-profile data breaches. The genuine revenue, however, is made via smaller BEC attacks, according to the report. 

“Although a lot of attention gets paid to more destructive and aggressive threats like big-game hunting, it’s BEC that generates astronomical revenue without much of the law-enforcement attention these other groups have to contend with,” the report explained. “If anything, the likelihood of this has only increased in the pandemic, with people relying more and more on digital communication." 

According to Cisco Talos, gift card lures are by far the most popular in BEC assaults. Most of the time, these emails will appear to be from someone prominent within the organization and will come from a free provider like Gmail, Yahoo, or Outlook. The solicitations will frequently include a sad narrative of hardship and will attempt to persuade the victim to purchase an Amazon, Google Play, iTunes, PlayStation, or other common types of gift card. 

“The amount of and types of businesses that get targeted with these attacks is truly staggering, ranging from huge multinational corporations down to small mom-and-pop restaurants in U.S. cities,” Talos said. “We found examples of small restaurants that are being targeted by impersonating the owners since the information was available on their website.”

Scammers Employ 'Vishing' Technique to Steal Personal Details of Online Shoppers

 

Scammers are using a unique methodology called ‘vishing’ to trick online customers. In a vishing attack, the fraudster impersonates someone from Amazon but uses a phone call as the weapon of choice. Another tactic employed by the cybercriminal is via email with a contact number and requesting the receiver to call that number. 

Recently, cybersecurity firm Armorblox discovered two distinct email campaigns posing as Amazon. Both emails were identical with a similar Amazon branding and followed a pattern similar to real order confirmation emails from Amazon but, if one knows where to look, there are many indications that the emails are fraudulent.

The first indication is that the emails are sent from a Gmail address or one that looks like it “might” belong to Amazon (no-reply@amzeinfo[.]com) and the recipient is not addressed by their name (a piece of information Amazon would know).

Armorblox researchers noted that scammers are not using the old taction of including a malicious attachment or URL / link, which allowed them to bypass any detection controls that block known bad links. They also made other choices that allowed them to slip past any deterministic filters or blocklists that check for brand names being impersonated (e.g., by writing AMAZ0N – with a zero instead of an “O”). 

What you can do to prevent yourself from these fraudulent schemes? 

With online shopping becoming the new normal, fraudsters will continue targeting this global and immense pool of potential victims. Scammers are using a combination of social engineering, brand imitation, and emotive trigger to lure victims into their trap. If successful, victims could end up handing over their personal data and credit card details, leading to consequences such as identity theft or fraudulent payments made on their behalf. 

The first thing you have to learn is not to open attachments and follow links from unknown emails, and not to call on included phone numbers which may cost you thousands of rupees. If you’re worried that you might be billed for an order you did not make, go to the shop’s website and find the correct phone number yourself.

Secondly, do not share your personal details on a phone call. If you feel the urgency to call back, don't contact the person through any phone number listed in the message. Instead, run a search for a publicly available number for the company.

Lastly, but most importantly use multi-factor authentication (MFA) on all accounts and for all sites. Don't use the same password across multiple accounts and use a password manager to store your passwords.

Amazon Fake Reviews Scam Exposed in Data Breach

The identities of over 200,000 people who appear to be participating in Amazon fraudulent product review schemes have been exposed by an open database. 

There is an ongoing struggle between the e-commerce giant and shady traders all over the world who want to hamstring rivals and gain an advantage by creating fake product feedback. The ways in which they function and remain under Amazon's radar differ, but an open ElasticSearch server has revealed some of their inner workings. 

Researchers from Safety Detectives reported on Thursday that the server, which was open to the public and accessible online, held 7GB of data and over 13 million documents appeared to be connected to a widespread fake review scam. It is unknown who owns the server, but due to messages written in Chinese that were leaked during the incident, there are indications that the company might be based in China. 

The database includes the user names, email addresses, PayPal addresses, links to Amazon accounts, and both WhatsApp and Telegram numbers, which also included records of direct messages between consumers willing to provide false reviews and traders willing to pay them. The leak may implicate "more than 200,000 people in unethical activities," according to the team. 

The database, as well as the messages it included, exposed the strategies used by suspicious sellers. One approach involves sending a customer a connection to the goods or products for which they want 5-star ratings, and the customer then makes a purchase. After a few days, the customer leaves a positive review and sends a message to the vendor, which will result in payment via PayPal — which could be a 'refund,' while the item is kept for free. It's more difficult to spot fraudulent, paid reviews because refund payments are held off the Amazon website. 

On March 1, an open ElasticSearch server was discovered, but the owner could not be identified. On March 6, however, the leak was detected and the server was secured. 

"The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors," the researchers speculated. "What's clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon's terms of service." 

Vendors are not allowed to review their own goods or receive a "cash incentive, discount, free products, or other compensation" in exchange for positive reviews, according to Amazon's spokesperson and review policy which includes third-party organizations. However, since Amazon is such a popular online marketplace, it's likely that some vendors will continue to try to take advantage of review systems in order to increase their profits. 

"We want Amazon customers to shop with confidence, trusting that the reviews they read are genuine and appropriate," a spokesperson for the company said. "We have clear policies for both reviewers and selling partners that forbid the misuse of our community features, and we suspend, ban, and taint people who break them," states the company.

Unidentified Cyberattackers Has Put Alaska Court System Offline

 

A recent cyberattack has forced The Alaska Court System (ACS) to temporarily discontinue its online services to the public including electronic court filings, online payments, and also prevented hearings that take place via videoconference till the cybersecurity unit removes malware from its network including its working website. Due to the ongoing world pandemic, court matters were being dealt with by an online service. However, now services will be given through phone calls. 

On Saturday, a statement has been put out by the court in which the court said that its website will be inactive and people will not be able to search cases while its research unit fixes the malware that has been executed on its network, in order to prevent a further cyber attack. 

"Today, we were advised that there did appear to be some attempts to infiltrate the court system's computer system. And so we figured out a way to disconnect from the internet to stop the problem to prevent anyone from continuing to try to tinker with our network”, Alaska Supreme Court Chief Justice Joel Bolger. 

Additionally, the court told that all currently scheduled cases and other emergency hearings on critical matters will be heard on their time. 

“I think for a few days, there may be some inconveniences, there may be some hearings that are canceled or some judges who decide to shift from videoconference to teleconference proceedings or the like. We don’t have all of that figured out yet,” Alaska Supreme Court Chief Justice Joel Bolger, the court system’s top administrative officer, told the press. 

This cyberattack is just another example of cyber threats against governmental organizations. There is no doubt that because of the pandemic, cyberattacks against government organizations have been increased. Along with Government organizations, the state and local level governments, with private firms and schools, hospitals, are also being targeted massively. 

In the light of the cyber threat, the newly formed Ransomware Task Force, which works under Microsoft and Amazon experts: aims at fixing ransomware and finding solutions to combat these cyberattacks. 

In the latest report, the task force has provided some haunting statistics of ransomware attacks: 

The average downtime due to ransomware attacks is 21 days, the average number of days it takes an organization to fully recover is 287, victims paid $350 million in ransom in 2020, a 311% increase from 2019, and the average ransom payment was $312,493, a 171% increase from 2019.

Alexa Skills can Easily Bypass Vetting Process

 

Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could permit a threat actor to publish a misleading skill under any arbitrary developer name and even make backend code changes after approval to fool clients into surrendering sensitive data. The discoveries were introduced on Wednesday at the Network and Distributed System Security Symposium (NDSS) meeting by a group of scholastics from Ruhr-Universität Bochum and the North Carolina State University, who examined 90,194 skills accessible in seven nations, including the US, the UK, Australia, Canada, Germany, Japan, and France.

 “While skills expand Alexa’s capabilities and functionalities, it also creates new security and privacy risks,” said a group of researchers from North Carolina State University, the Ruhr-University Bochum and Google, in a research paper. 

Amazon Alexa permits third-party developers to make additional functionality for gadgets, for example, Echo smart speakers by configuring "skills" that run on top of the voice assistant, along these lines making it simple for clients to start a conversation with the skill and complete a particular task. Chief among the discoveries is the worry that a client can actuate a wrong skill, which can have serious results if the skill that is set off is designed with a treacherous aim. 

Given that the actual criteria Amazon uses to auto-enable a particular skill among several skills with the same invocation names stay obscure, the researchers advised it's conceivable to actuate some wrong skill and that an adversary can get away with publishing skills utilizing notable organization names. "This primarily happens because Amazon currently does not employ any automated approach to detect infringements for the use of third-party trademarks, and depends on manual vetting to catch such malevolent attempts which are prone to human error," the researchers explained. "As a result users might become exposed to phishing attacks launched by an attacker." 

Far more terrible, an attacker can make code changes following a skills approval to persuade a client into uncovering sensitive data like telephone numbers and addresses by setting off a torpid purpose.

Data of 14 Million Amazon and eBay Accounts Leaked on Hacking Websites

 

An anonymous user offered 14 million data from Amazon and eBay accounts on a prominent hacking website for dissemination. The details seem to have been obtained from customers of Amazon or eBay having accounts from 18 countries between 2014-2021.

In Seattle, USA- focused on e-commerce, cloud computing, internet streaming, and artificial intelligence, Amazon.com Inc. is an international corporation based in Washington. Founded in 1994, the business was named "one of the most influential economic and cultural forces in the world" as well as the most valuable brand in the world. Whereas eBay Inc. is also a U.S. international e-commerce company headquartered in San Jose, California that allows transactions and sales to customers and companies through its website. eBay was founded in 1995 by Pierre Omidyar and became a remarkable success story for the dot-com bubble. 

The database acquired by the hacker was sold for 800 dollars where the accounts were divided through each country. The details leaked contain the entire customer name, mailing code, shipping address and store name, and a telephone number list of 1.6 million users. Although two copies had already been sold, the blog publisher has now closed the deal. 

The way the blog-publisher has acquired data is at present- unclear. Though the firm researching this incidence did not independently check or validate that Amazon or eBay data were certainly from the 2014-2021 period. A representative of Amazon said that the allegations had been reviewed with no evidence of any data violation. 

Also, it is more probable that Amazon or eBay have not experienced any infringements. Instead, a common form of password spraying was presumably used by the threat actor to get the passwords. Spraying passwords is an attack attempting to enter a wide number of accounts with a few popular passwords (usernames). Standard attacks by brute forces seek to enter a single account by guessing the password.

Fortunately, highly confidential material, including billing records, national ID numbers, or even e-mail addresses, does not exist on the server. However, the data being sold at this time is also potentially vulnerable and can be used for a range of reasons, such as doxing users by public dissemination of private data (e.g. sensitive things that nobody needs to hear about). The data may also be exploited by cybercriminals for purposes of creating a spam list or business intelligence.

"Not Amazon" Canadian Website Takes on the Online Giant

The e-commerce giants, with their evidently endless collection and drive to deliver convenience along with affordable prices, have become an all-too-familiar and essential service for many consumers at the height of the ongoing global pandemic. 

While small businesses and local retailers have been ending up with nothing in this pandemic, the worldwide lockdowns, and restrictions, have been fruitful for the e-commerce market, especially for the Seattle-based e-commerce giant Amazon, which has made humongous profits in billions. 

The pandemic has proved as mounting inequity between people and markets, and it was brought into focus by Ali Haberstroh. As the pandemic deepened, offline markets were closed but online shopping continued which consequently created inequality that was highlighted by one Canadian woman who expressed her disapproval as she fought back for the cause. 

“I just hate how much Jeff Bezos and Amazon are making billions off the backs of working-class people,” said Ali Haberstroh. “It seems to me they’re putting money over the wellbeing of people.” 

It was in late November 2020 when the snow was painting Ali Haberstroh’s apartment into a white house when the idea occurred to her. At the time, Canada was about to shut the market again as the second wave of lockdown hit the Canadian lanes in an attempt to curb rising COVID-19 cases. 
In anticipation, Toronto’s vintage clothing owner who is a friend of Ms. Haberstroh’s had put together names of other local vintage shops offering product curbside pickup and deliveries instead of shutting doors. 

“It was a wake-up call,” Ms. Haberstroh, 27, said of the list, which reminded her how large retailers like Walmart, Costco, and Amazon had thrived during the pandemic while much smaller, local businesses had been increasingly forced to discontinue their operations. “I thought if there is one tiny thing I can do to help, then I should get on it.” 

Being as inspired as she was by this idea, Haberstroh readied herself to build a more comprehensive list; following up, she has created an Instagram post, tagging independent businesses, and shopkeepers across Toronto. Moreover, she came up with a new website by the name “Not-Amazon.ca” — a URL that she had bought for $2.99. 

Introduced as a local list to help keep small businesses alive, 'Not Amazon' was created “so you don’t have to give any money to Amazon this year!” her Instagram post read. 

“At first it started off as a bit of a joke, with the name, but soon I really wanted to make it like Amazon, having everything in one place,” she said. “I didn’t want people to have an excuse not to shop local.” 

So far, the website “Not-Amazon.com” has accumulated more than half a million page views and is witnessing the participation from 4,000 businesses across Toronto, Halifax Calgary, and Vancouver. 
Furthermore, the cause is seen to have gained worldwide acceptance as thousands of stores owner await their submission to this site along with Ms. Haberstroh’s approval. 

“In a big city like Toronto, where it feels like most businesses are local, I think it’s so easy to think these things will be here forever,” said Ms. Haberstroh, who works as a social media manager at a marketing firm and plans to expand her rebellious project 'Not Amazon' to even more cities. “You don’t think that they’re going to go anywhere.” 

 “Small businesses have always made Toronto magical. They’re what makes this city what it is. And so I think we owe it to them to keep them alive.” She added.