Search This Blog

Showing posts with label Cloud Security. Show all posts

Mainframes are Still Used in 9 Out of 10 Banks, Google Cloud Wishes to Mitigate


It has been announced that Google Cloud is introducing a simpler, more risk-averse way for enterprises to migrate their legacy mainframe estates to the cloud. Google Cloud's newly launched service is based on technology originally developed by Banco Santander and aims to simplify planning and execution.

As a result, customers can perform real-time testing before they transition to Google Cloud Platform as their primary system to ensure their cloud workloads are performing as expected, running securely, and meeting regulatory compliance requirements – without stopping their application or negatively impacting user experience.

In his interview with Protocol on Tuesday, Nirav Mehta told: "This is a simple concept, but it is difficult to implement - hasn't been done yet," Nirav Mehta, Google Cloud's senior director of product management for cloud infrastructure solutions and growth, said. As compared to moving mainframe applications to the cloud, this solution will substantially reduce the risk associated with doing so." 

A parallel instance of mainframe workloads is created by using virtual machines on the Google Cloud Platform (GCP) through Dual Run. As Mehta describes, a launcher/splitter is an architecture consisting of the necessary mechanisms to duplicate activity - and return the "primary" response of the system - at each interface that drives the incoming requests or triggers the scheduled workload and can handle both.

A dashboard that displays real-time monitoring shows the differences in transaction responses between the mainframe and GCP deployments that are displayed on the dashboard. The single output hub also ensures that there is a single point of contact during the roll-out period for all batch information that needs to be sent out and collected.

Once the customers are comfortable with the use of their mainframes as backups, they can retire their mainframes or use them as storage.

As long as your mainframe is the primary system that handles customer requests, it should remain the system of choice for quite some time to come. You can consider the cloud instance as nothing more than a secondary system. This will also run the same requests as the regular system, Mehta explained. As part of your monitoring process, you maintain a record of the responses coming back from both the mainframe and Google Cloud. This is to determine whether the Google Cloud instance is working equally well as the mainframe. Then at some point, you switch over to using Google Cloud as your primary source of data and the mainframe as your secondary source of data.

The Dual Run device, which is currently in the preview stage, was developed for a wide range of industries, including the financial services, health care, manufacturing, and retail industries, and the public sector as well. Approximately 90% of North America's biggest banks still use mainframes, according to Mehta, while 23 of the 25 largest U.S. retailers use mainframes as well.

"All of these companies are looking to modernize their old mainframe applications and take them to the cloud to maximize security, scalability, and cost efficiency," he said. However, because these systems are so mission-critical - and mainframes are especially unique in this regard since they've been around for so long and contain so much legacy technology - they perceive a lot of risks, so they do not bring them to the cloud."

In May, Banco Santander, a Google Cloud customer, published a report about the progress it has made in digitizing its core banking platform. It said that 80% of its IT infrastructure had been moved to the cloud using software developed in-house called Gravity, to automate the process. The technology is an exclusive license that Google Cloud has acquired, and its engineers have been working with Santander during the past six months to optimize the technology to make it more suitable for end-to-end mainframe migrations for customers in a wide variety of industries. 

Mehta explained that they only had a very limited use case for the software. The relevance of the solution to any mainframe customer has been elevated to a substantial extent thanks to the changes we have made. This is a huge deal for anyone running mainframes because it allows them to access data remotely.

Vulnerability in OCI Could Have Put the Data of Customers Exposed to the Attacker


A vulnerability called 'AttatchMe', discovered by a Wiz engineer could have allowed the attackers to access and steal the OCI storage volumes of any user without their permission. 

During an Oracle cloud infrastructure examination in June, Wiz engineers disclosed a cloud isolation security flaw in Oracle Cloud Infrastructure. They found that connecting a disk to a VM in another account can be done without any permissions, which immediately made them realize it could become a path for cyberattacks for threat actors. 

Elad Gabay, the security researcher at Wiz made a public statement regarding the vulnerability on September 20. He mentioned the possible severe outcomes of the exploitation of the vulnerability saying this could have led to “severe sensitive data leakage” for all OCI customers and could even be exploited to gain code execution remotely. 

To exploit this vulnerability, attackers need unique identifiers and the oracle cloud infrastructure's environment ID (OCID) of the victim, which can be obtained either through searching on the web or through low-privileged user permission to get the volume OCID from the victim's environment. 

The vulnerability 'AttachMe' is a critical cloud isolation vulnerability, which affects a specific cloud service. The vulnerability affects user data/files by allowing malicious actors to execute severe threats including removing sensitive data from your volume, searching for cleartext secrets to move toward the victim's environment, and making the volume difficult to access, in addition to partitioning the disk that contains the operating system folder. 

The guidelines of OCI state that volumes are a “virtual disk” that allows enough space for computer instances. They are available in the two following varieties in OCI: 

1. Block volume: it is detachable storage, allowing you to expand the storage capacity if needed. 

2. Boot volume: it is a detachable boot volume device containing the image used to boot a system such as operating systems, and supporting systems. 

As soon as Oracle's partner and customer Wiz announced the vulnerability, Oracle took immediate measures to patch the vulnerability while thanking wiz for disclosing the security flaw and helping them in resolving it in the last update advisory of receiving the patch for the vulnerability.

A Large Number of Ventures Suffering From Cloud Security Attacks

The advent of technology led malicious actors, to invade the privacy of users' systems in a few steps. Cloud security is one such technology that has increasingly worked to fortify users' data from threat actors. 

However, as per the statistics, even the latest cyber security is at risk; a report publicized by Synk shows, that 80% of the enterprises suffered from these actors’ invasion in just the past 12 months. The wide adoption of cloud security has been considered a major reason for a rapidly increasing number of cases. 

There have been several bigger cases that show the breach of cloud security. Accenture is one of them which came under the claws of cloud security attacks. Once in 2017 when the company's AWS S3 storage was unsecured and was made available for public reach. The attackers found confidential API data, digital certificates, meta info, etc. and they used it to blackmail and squeeze money from the. The second was when in 202, the firm got struck by LockBit ransomware. 
As per Synk’s report, 58% of the people were predicting that they again will face another cloud security attack in the future, and 25% were afraid that they must have endured a breach in their cloud storage but were not aware of it. These thoughts were creating a negative impact on cloud security. Whereas, there are many other similar cases like Accenture, where organisations left their cloud storage open to be accessed publically, and did not have even basic security. 

The CEO and Co-founder of Orca, Avi Shua stated that other than the cloud platforms providing safe spaces for data storage in cloud infrastructure, the state of the business’s workloads, identities, etc. stored in the cloud are also equally responsible for the security of the public cloud data.

For making 100% from cloud storage and evading the problems in cloud securities, it is important to include experts in cloud-native security. and to avoid such incidents as Accenture cases it becomes a necessity to add additional training and education. As an institute can’t deal with such a situation without planning, they should work with proper strategies and focus on how to avoid the risk of 

To make the best of cloud storage and avoid falling prey to problems related to cloud security, it becomes pertinent to include experts in cloud-native security. To avoid such incidents from occurring in Accenture and other such companies, it's important that additional training and education about cloud security handling is provided by the relevant institutes and organisations. It's implausible to deal with such a situation without planning, the companies should work with proper strategies and focus on how to avoid the risk of data theft.  

Cisco SD-WAN Security Flaw Allows Root Code Execution


Cisco SD-WAN implementations are vulnerable to a high-severity privilege-escalation flaw in the IOS IE operating system, which could result in arbitrary code execution. 

Cisco's SD-WAN portfolio enables enterprises of all sizes to link different office sites over the cloud utilising a variety of networking technologies, including standard internet connections. Appliances at each location allow advanced analytics, monitoring, application-specific performance specifications and automation throughout a company's wide-area network. Meanwhile, IOS XE is the vendor's operating system that runs those appliances. 

The vulnerability (CVE-2021-1529) is an OS command-injection flaw that allows attackers to execute unexpected, harmful instructions directly on the operating system that would otherwise be inaccessible. It exists especially in the command-line interface (CLI) for Cisco's IOS XE SD-WAN software, and it could permit an authenticated, local attacker to run arbitrary commands with root privileges. 

According to Cisco’s advisory, posted this week, “The vulnerability is due to insufficient input validation by the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.” 

The alert further stated that the exploit method would comprise authenticating to a susceptible device and delivering "crafted input" to the system CLI. An attacker with successful compromise would be able to read and write any files on the system, execute operations as any user, modify system configurations, install and uninstall software, update the OS and/or firmware, and much more, including subsequent access to a corporate network. 

CVE-2021-1529 has a rating of 7.8 on the CVSS vulnerability-severity scale, and researchers and the Cybersecurity and Infrastructure Security Agency (CISA) have advised organisations to fix the problem as soon as possible. 

Greg Fitzgerald, the co-founder of Sevco Security, cautioned that some firms may still have outdated machines connected to their networks, which might provide a hidden threat with issues like these. 

He stated in the email, “The vast majority of organizations do an excellent job patching the vulnerabilities on the systems they know about. The problem arises when enterprises do not have complete visibility into their asset inventory, because even the most responsive IT and security teams can’t patch a vulnerability for an asset they don’t know is connected to their network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”

This is solely the latest SD-WAN vulnerability addressed by Cisco this year. It patched many significant buffer-overflow and command-injection SD-WAN flaws in January, the most serious of which could be abused by an unauthenticated, remote attacker to execute arbitrary code with root privileges on the affected server.

Thousands of Organizations Targeted Via 'Operation Chimaera'


TeamTNT hacking group has enhanced its abilities by adding a set of tools that allow it to target multiple operating systems. 

Earlier this week, cybersecurity experts from AT&T Alien Labs published a report on a new campaign, tracked as Chimaera. According to AT&T researchers, infection statistics on the command-and-control (C2) server used in Chimaera suggests that the campaign began on July 25,2021. 

TeamTNT was first discovered last year and was related to the installation of cryptocurrency mining malware on susceptible Docker containers. The operations of the TeamTNT hacking group have been closely monitored by security firm Trend Micro, but in August 2020 experts from Cado Security contributed the more recent discovery of TeamTNT targeting Kubernetes installations. 

Now, the researchers at Alien Labs believe the hacking group is targeting Windows, AWS, Docker, Kubernetes, and various Linux installations, including Alpine. Despite the short time period, the latest campaign is responsible for "thousands of infections globally," the researchers say. 

In its latest campaign, TeamTNT is using open-source tools like the port scanner Masscan, libprocesshider software for executing the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne. 

Lazagne is an open-source application for multiple web operating systems that are stored on local devices including Chrome, Firefox, Wi-Fi, OpenSSH, and various database programs. According to Palo Alto Networks, the group has also added Peirates, a cloud penetration testing toolset in its armory to target cloud-based apps. 

“With these techniques available, TeamTNT actors are increasingly more capable of gathering enough information in target AWS and Google Cloud environments to perform additional post-exploitation operations. This could lead to more cases of lateral movement and potential privilege-escalation attacks that could ultimately allow TeamTNT actors to acquire administrative access to an organization’s entire cloud environment,” according to Palo Alto’s June report.

While now self-armed with the kit necessary to target a wide range of operating systems, TeamTNT still focuses on cryptocurrency mining. For example, Windows systems are targeted with the Xmrig miner. A service is created and a batch file is added to the startup folder to maintain persistence -- whereas a root payload component is used on vulnerable Kubernetes systems.

HolesWarm Cryptominer Botnet Targets Unpatched Windows, Linux Servers

Researchers at Tencent have issued a warning regarding a HolesWarm cryptominer malware campaign that has exploited more than 20 known vulnerabilities in Linux and Windows servers. The cryptominer botnet has been so effective in interchanging so many different known vulnerabilities between attacks, making Tencent researchers refer to the malware as the “King of Vulnerability Exploitation.”

HolesWarm has been able to break into more than 1,000 cloud hosts just since June. Tencent warned that both government and enterprise should immediately address known security flaws in order to prevent them from falling prey to the following HolesWarm attack. The cryptominer botnet also provides hackers password information and full access to the victim’s server. 

“As the HolesWarm virus has changed more than 20 attack methods in a relatively short period of time, the number of lost cloud hosts is still on the rise. Tencent security experts recommend that the operation and maintenance personnel of government and enterprise organizations actively repair high-risk vulnerabilities in related network components to avoid servers (becoming) a broiler controlled by hackers.” Tencent researchers said in their Tuesday report. 

HolesWarm targeting known security flaws 

Security analysts at Tencent noticed HolesWarm taking advantage of high-risk flaws in several common office server components, including Apache Tomcat, Jenkins, Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB, and Zhiyuan. 

The malware uses compromised systems to mine for Monero cryptocurrency. This sort of thing is only lucrative if there are several devices counting numerous strings of blockchain. Cryptominer malware gains full access to the victim’s system and puts it to work as an aspect of a much more common criminal effort to mine Monero at scale, utilizing anyone else’s assets. According to Tencent researchers, attackers are constantly updating their strategies. 

“By pulling and updating other malicious modules, HolesWarm virus will record the version information in the configuration with the same name text while installing the malicious module,” Tencent said. “When the cloud configuration is newer, it will end the corresponding module process and update automatically.”

According to Dirk Schrader from New Net Technologies, the rapid evolution of cryptominer malware suggests that a hacking group was just getting started with their criminal activities.

“Collecting crypto-money is a necessary step for any cybercrime group to grow and later maintain capabilities, to acquire additional exploits traded in the Dark Web or to use some cybercrime-as-a-service,” Schrader explained.

NATO's Cloud Platform Hacked


The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries. 

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium. 

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles. 

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence. 

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities". 

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment. 

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Indian Organizations Suffer the Most in Public Cloud Security Incidents

In a survey of 26 countries for public Cloud security incidents, India emerges as the nation which endured the hardest hits the previous year with 93 percent of the nation's organizations encountering the problem.

The survey included more than 3,500 IT managers across 26 nations in Europe, the Americas, Asia Pacific, the Center East, and Africa that currently host data and workloads at hand in the Public Cloud.

The cybersecurity incidents that Indian organizations suffered most included ransomware (53 percent) and other malware (49 percent), exposed data (49 percent), compromised accounts (48 percent), and cryptojacking (36 percent), said the report titled "The State of Cloud Security 2020" by cybersecurity company Sophos.

While Europeans seem to have endured the least level of security incidents in the Cloud, an indicator that compliance with General Data Protection Regulation (GDPR) guidelines are assisting with protecting organizations from being undermined.

However, India still hasn't enforced a data protection law.

Chester Wisniewski, Principal Research Scientist at Sophos said in a statement, "Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public Cloud."

 "The recent increase in remote working provides extra motivation to disable Cloud infrastructure that is being relied on more than ever, so it's worrisome that many organizations still don't understand their responsibility in securing Cloud data and workloads," Wisniewski added later.

"Cloud security is a shared responsibility, and organizations need to carefully manage and monitor Cloud environments in order to stay one step ahead of determined attackers."

According to the report, more than 55 percent of Indian organizations and businesses revealed that cybercriminals obtained access through the stolen Cloud provider account credentials.

Regardless of this, only 29 percent said managing access to Cloud accounts is a top area of concern. Albeit 'accidental exposure' keeps on plaguing organizations, with misconfigurations exploited in 44 percent of reported attacks on Indian organizations.

With 76 percent of organizations utilizing the Public Cloud, detection and response are driving the Cloud security concern for IT managers in India while data security still stays as a top concern across the world for organizations.

Public Cloud Infrastructures suffering from Security Loopholes and Vulnerabilities, researchers say

Igal Gofman, XM head of security research, and Yaron Shani, XM senior security researcher, in their research, found a new attack vector in cloud providers API ( application programming interface), that gives miscreants a window to access secured cloud data. Public Cloud Infrastructure, has added a new invisible management layer, that complicates the procedure creating security challenges, that requires better understanding. Often organizations fail to understand this management layer and hence lag in securing it, inviting attacks.

Working with public cloud infrastructure without the right understanding of risks and security challenges may lead to fatal consequences with customer risks, as was the case in Capital One breach."Current security practices and controls are not sufficient to mitigate the risk posed by a misunderstanding of the public cloud", said the researchers.

 Findings in the research

Researchers found that public cloud providers' APIs' accessibility over the internet opens a window for adversaries to exploit and gain access to confidential data on the cloud. And current security systems and practices are not equipped to beat the risk posed by misconfiguration of the cloud.

People who are in charge of managing cloud resources can easily gain access to APIs' using software kits and command-line tools as they are part of the development and IT team. "Once those account credentials are compromised, gaining access to high-value resources is trivial," the researchers say. Cloud APIs' can be accessed through the internet, with the correct API key, for example, the Command line interface tool, which saves the user's credentials which can be accessed by the cloud provider.

Attackers don't need a very sophisticated approach to sneak in cloud API, "In practice, the sophistication required to develop such tools is not high, because basically all the information is publicly available and well-documented by most cloud providers, meaning they document each security feature in great detail and it can serve both the defenders and the adversaries," Gofman and Shani say. And once, their credentials are compromised using cloud providers tools, it's easy for the black hats to rob you blind.

In order to protect themselves, organizations and companies should follow the best practice guidelines from the cloud provider. Large organizations should constantly and periodically monitor permissions and risk factors. Analyzing attack paths can decrease the risk factors, suggest the researchers.