Search This Blog

Showing posts with label Amazon Web Services. Show all posts

Cloudflare Blocks a  DDoS Attack with 15 million Requests Per Second

 

On Wednesday, Cloudflare, an internet infrastructure company, revealed it has successfully resisted one of the largest volumetric distributed denials of service (DDoS) attacks ever seen. A DDoS attack with a pace of 15.3 million requests per second (rps) was discovered and handled earlier this month, making it one of the greatest HTTPS DDoS attacks ever. 

According to Cloudflare's Omer Yoachimik and Julien Desgats, "HTTPS DDoS assaults are more pricey of necessary computational resources due to the increased cost of establishing a secure TLS encrypted connection." "As a result, the attacker pays more to launch the assault, and the victim pays more to mitigate it. Traditional bandwidth DDoS assaults, in which attackers seek to exhaust and jam the victim's internet connection bandwidth, are different from volumetric DDoS attacks. Instead, attackers concentrate on sending as many spam HTTP requests as possible to a victim's server to consume valuable server CPU and RAM and prevent legitimate visitors from accessing targeted sites."

Cloudflare previously announced it mitigated the world's largest DDoS attack in August 2021, once it countered a 17.2 million HTTP requests per second (rps) attack, which the company described as nearly three times larger than any prior volumetric DDoS attack ever observed in the public domain. As per Cloudflare, the current attack was launched from a botnet including about 6,000 unique infected devices, with Indonesia accounting for 15% of the attack traffic, trailed by Russia, Brazil, India, Colombia, and the United States. 

"What's intriguing is the majority of the attacks came from data centers," Yoachimik and Desgats pointed out. "We're seeing a significant shift away from residential network Internet Service Providers (ISPs) and towards cloud compute ISPs." According to Cloudflare, the attack was directed at a "crypto launchpad," which is "used to showcase Decentralized Finance projects to potential investors." 

Amazon Web Services recorded the largest bandwidth DDoS assault ever at 2.3 terabytes per second (Tbps) in February 2020. In addition, cybersecurity firm Kaspersky reported this week about the number of DDoS attacks increased 4.5 times year over year in the first quarter of 2022, owing partly to Russia's invasion of Ukraine.

AWS, and Alibaba Cloud was Attacked by Crypto Miners

 

An intel source recently provided Cisco Talos with modified versions of the TeamTNT cybercrime team's infected shell scripts, an earlier version of which was documented by Trend Micro. The malware creator modified these tools after learning that security experts had disclosed the prior version of its scripts. These scripts are intended primarily for Amazon Web Services (AWS), but they might also be used on-premise, in containers, or in other Linux instances. 

There are multiple TeamTNT payloads focusing on bitcoin mining, persistence, and lateral movement employing tactics like identifying and installing on with all Kubernetes pods in a local network, in addition to the primary credential stealer scripts. A script containing user credentials for the distribution system server and another with an API key which may allow remote access to a tmate shared login session is also included. Defense evasion functions aimed at defeating Alibaba cloud security technologies are included in some TeamTNT scripts.

When it comes to decision making obtaining credentials, the script looks for them in the following places and APIs: 

  • It attempts to obtain the string 'AWS' from /proc/*/environ from the Linux system environment variables. 
  • Obtaining the string 'AWS' from Docker environment variables with the command $(docker inspect $) (docker ps -q).
  • /home/.aws/credentials and /root/.aws/credentials are the default AWS CLI credential file locations.
While the query itself will not be caught by Cisco Secure Cloud Analytics, the alert "AWS Temporary Token Persistence" will detect later use of these credentials to generate further temporary credentials. Finally, the virus saves any credentials acquired by the preceding functions to the file "/var/tmp/TeamTNT AWS STEALER.txt" and uses cURL to transfer it to the URL http://chimaera[.]cc/in/AWS.php before deleting it. 

No CloudTrail, GuardDuty, or SCA events were generated when the script ran on the target EC2 instance for all network traffic was restricted by the VPC Security Group such as the script could not access TeamTNT's servers. 

The core of the defense impairment functions is directed against Alibaba Cloud Security's numerous agents, how, they also target Tencent Cloud Monitor and third-party BMC Helix Cloud Security, agents. While the bulk of malicious scripts targets AWS Elastic Compute Cloud (EC2) virtual machines, these bots are most typically detected running inside Alibaba Cloud Elastic Compute Service (ECS) or a Tencent Cloud VM. They could theoretically be put on a VM operating on AWS or any other service, but it would be unusual. TeamTNT makes no attempt to disable AWS CloudWatch, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other popular cloud security tools in the United States. 

The Alibaba defense damage routines have been retrieved and saved here from the script Kubernetes root payload 2.sh. Since static analysis of the defense impairment functions is problematic due to the presence of multiple Base64 encoded strings, those functions have been decrypted and placed back into the file ali-defense-impairment-base64-decoded.sh.txt. 

"Cybercriminals who have been exposed by security researchers should update those tools to keep functioning successfully," stated Darin Smith of Talos. 

The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been leveraged to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into existing attacks. To deploy the cryptocurrency miners, the exploitation efforts employ a unique web shell, but not before switching off the firewall and disabling other virtual currency miner processes.

A Data Breach To An AWS Portal Glitch By Ravkoo, A US-based Online Pharmacy

 

Ravkoo, an online prescription filling service, suffered a data breach, exposing health and other sensitive information. The company's prescription interface is hosted by Amazon Web Services (AWS). 

A security incident occurred in a specific instance that saved prescription information, allowing the information to be easily accessed. The unauthorized access occurred in September 2021, and the Ravkoo security team discovered it in October of that year. 

On January 3rd, 2022, around 150,000 potentially affected customers received breach notification letters. Ravkoo has discovered no cause to assume the exposed data was spreading or being utilized for nefarious activities at the time of writing their public statement, but that could change. The FBI and other authorities have been notified, and they are working with Ravkoo to investigate the situation further to determine who may be responsible. 

"Ravkoo has no indication that any of your personal information has been or will be exploited as a result of this occurrence at this time. Nonetheless, out of an abundance of caution, Ravkoo chose to alert you about this incident," according to Alpesh Patel, the online pharmacy's CEO, because it hasn't received any reports of identity theft relating to the data breach since September 27, the date of the incident. Ravkoo also claims to have reported the event to the appropriate authorities and to be working with forensic experts to examine the issue and improve its security posture. The hacker also provided records of 340,000 prescriptions written by Ravkoo between November 3, 2020, and September 11, 2021, totaling $8.5 million in medicine prices, according to Micah Lee of The Intercept. 

Ravkoo's identity monitoring services are available to users who may have been affected by the breach. The scope of the exposed data has not been released, however, the concerned parties should report any unlawful activity they see. Health information can be sold and exploited to commit medical identity theft, as we discussed earlier this week. For those who have their information utilized unlawfully, this might result in a variety of problems. Following an occurrence like this, it's critical to remain vigilant.

643GB of Customer Information Exposed in a Data Breach Suffered by Bizongo

 

The issue of data fraud has been on a rapid rise, as of late, and evidently so as data breaches are a matter of serious concern for data applications in all aspects of life. In recent days, few Indian start-ups have suffered several data violations. 

In the light of that, an alarming data violation within the packaging acquisition company Bizongo, a digital platform located in Mumbai, India, was discovered by the Website Planet Security Team. As just at end of December 2020, the team disclosed an incorrect bucket belonging to Bizongo that leaves highly confidential data potentially exposed to hackers and other unauthentic sources. Due to the complexity of the breach, more than a thousand organizations and hundreds of thousands of people could be affected. 

The key concern of Bizongo is serving Indian firms and there is no indication that their facilities extend beyond Indian borders. While its website domain has just been altered to 'dotcom,' it indicates that international companies have the potential of becoming a part of Bizongo. 

With more than 400 customers across multiple sectors, Bizongo is an online packing market, with over 860 million packings shipped to date. With customers using their Business to Business (B2B) supply chain and vendor management systems, Bizongo has disclosed almost 2.5 million (643Gb) data files that contain names, addresses, billing numbers, and customer payment information, with Amazon, Flipkart, Myntra, Swiggy and Zomato being some of their prime customers. 

A malfunctioning Amazon Web Services (AWS) S3 bucket operated by Bizongo was indeed the cause of the data leak as per the security team of Website Planet. There were two kinds of files in the bucket — customer bills and dispatch labeling. 

In a blog post, the Website Planet wrote, “With clear examples of branded shipping labels and customer receipts, finding the owner of the breached database was reasonably straightforward. All of the exposed data was identified as accurate, with the data belonging to real individuals.” 

The exact period during which this data wasn’t secured is currently unclear. The team, nevertheless, noted that the violation was detected and registered on 30 December 2020. While Bizongo has never responded to this data breach, on 8 January 2021, when the breach was closed, the website planet security staff revised the bucket anyway. 

Although the Indian data security legislation has not been enforced yet, Bizongo remains guilty of almost any misreporting of personal data. Affected individuals have a legitimate right to pursue civil proceedings and reimbursement. 

Any Indian company or packaging provider using the Bizongo platform also faces the possibility of this infringement affecting them. Concerned parties should seek further clarification from Bizongo themselves on their data and this violation. Since they cannot be sure if non-ethical attackers and fraudsters access unsecured data. However, the information leaked is likely to be detected, so users should be mindful of a variety of risks. 

“We take data security very seriously and implement best security practices to keep our and our customer data secure. We have taken strong measures to prevent such accidental misconfiguration from happening in the future,” the Bizongo added.

A Bug in iPhone Call Recording App Exposed Clients Data

 

A security vulnerability in a famous iPhone call recording application exposed thousands of users' recorded conversations. The flaw was found by Anand Prakash, a security researcher and founder of PingSafe AI, who tracked down that the aptly named Automatic Call Recorder application permitted anybody to access the call recordings from different clients — by knowing their phone number. 
 This application can track and record calls without an internet connection and can alter the voices of recordings, upload them to Dropbox, Google Drive, or One Drive, and also can translate in up to 50 dialects. All the client information gets stored in the company’s cloud storage on Amazon web services. This cloud storage has somewhere around 130,000 audio recordings that make up almost 300 GB. 

 Security circumstances like this are disastrous. Alongside affecting client's security, these issues likewise debilitate the organization's image and give an additional benefit to the contenders, said Anand Prakash. “This wasn’t just a violation of data privacy but also affected the users physically and at cyber risk, if their recorded conversations carry sensitive personal information. App makers that go wrong in investing in their cybersecurity must accept that the fines they could face for non-compliance with data privacy laws are extremely expensive – not to mention the cost of losing their customers' trust” he added. 

The bug was detected by Anand Prakash on the 27th of the last month when he was able to modify the web traffic and supplant the enlisted telephone number with someone else's number utilizing a proxy site called Burp, which gave him admittance to that person's call records and details. Fortunately, the bug was fixed by Saturday, March 6th, and the glitch-free version was launched in the Apple App Store. 

The call recorder clients were advised to uninstall the previous variant and download the latest rendition that is 2.26 or newer which is accessible on the Apple App Store. The paid variant is $6.99 for 7 days; additionally, they allow a three-day trial period. Their most basic monthly membership costs $14.99, with a 12 months advance, and has a few other options as well.

Clickjacking Vulnerability Spamming the User’s Facebook Wall


A Polish Security Researcher who works under the name of Lasq, found a malevolent spam campaign that spams the users' Facebook wall by exploiting the vulnerability. The said vulnerability came into his notice after he saw it repeatedly being abused by a Facebook spammer group.

The vulnerability as indicated by Lasq is known to reside in the mobile version of the Facebook for the most part through popups while the desktop version stays unaffected.

The link that is the root of all the spamming gives off an impression of being facilitated in an Amazon Web Services (AWS) bucket and diverts the user to a comic website, after they are requested to confirm their ages in French. In any case, even after the user has tapped on the link and done whatever it requested, it was still found to show up on the user's Facebook wall.

At the point when Lasq researched about this issue he found that the spammers were utilizing codes to abuse the IFrame component of Facebook's mobile sharing dialog. He tested for it then with the popular browsers, like the Chrome, Chromium, Edge, IE, Firefox and every other program which displayed X-Edge-Options error and thusly published a blog post with the technical subtleties. He suspected clickjacking.

Later he gathered that because Facebook had disregarded the X-Edge-Options header for the mobile sharing discourse, the "age verification" popup which displayed prior, skirted Facebook's system.


Lasq reached out to Facebook, yet shockingly they declined to fix the issue contending that it is operating in as intended and the case has been closed within 12 hours from an underlying report and clickjacking is an issue just when an attacker some way or another alters the state of the users' account.

On being reached by ZDNet, Facebook essentially stressed on the part that they are consistently enhancing their "clickjacking detection systems" to forestall spam.