Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cloud-based services. Show all posts

Ransomware Assaults on AWS' S3 Buckets Have Become More Likely

 

AWS is the most popular cloud service provider, with a solid reputation for security and dependability. Despite this, Ermetic's research demonstrates that identities pose a severe security concern and expose buckets to the risk of a ransomware attack. According to new research, 90% of S3 buckets are vulnerable to ransomware attack. 

Ermetic conducted the survey in order to better understand the security posture of AWS environments and their susceptibility to ransomware attacks, as well as to assist enterprises in identifying system flaws and mitigating risks. “Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” said Shai Morag, CEO of Ermetic. 

A stunning 70% of machines had permissions that might be exploited and were openly exposed to the internet. The privileges of third-party identities could be extended to admin level in 45% of situations. Furthermore, 80% of IAM Users had access credentials that had not been used in at least 180 days but were still active. 

According to Saumitra Das, Blue Hexagon CTO and Cofounder, this report emphasises the critical need to “detect threats” in the cloud rather than focusing solely on misconfigurations. According to research from the Cloud Security Alliance, even if misconfigurations in S3 buckets or IAM access keys have been inactive for a long time, it might take days, weeks, or even months for these to be discovered and remedied. 

 It also emphasises that ransomware is not just an on-premises issue; as the pandemic has increased cloud transfer of workloads, attackers and ransomware criminal operators have also accelerated cloud migration.  

Firms must monitor three things, according to Das, including runtime activity of identities; cloud storage, including read/write patterns, and network activity, which can assist companies determine when instances are exposed to the internet and their identities are misused.

According to the research, here are a few methods that organizations can take to protect their AWS S3 buckets from ransomware: 

 • Deploy Minimum Privilege - implement an authorization system that only allows identities to conduct their business functions with the bare minimum of entitlements, decreasing the possibility of ransomware infecting buckets. 

 • Reduce the risk of ransomware by following best practises to avoid/remove common problems that ransomware can use to steal identities and install malware. 

 • Use logging and monitoring tools like CloudTrail and CloudWatch to spot suspicious activity that can lead to early detection and response in the event of a ransomware attack.

Attackers Exploit Two Vulnerabilities in SaltStack to Publish Arbitrary Control Messages and Much More


CISA has sent warnings to the users regarding two critical vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework that has been actively exploited by cybercriminals, leaving around thousands of cloud servers across the globe exposed to the threat.

The vulnerabilities that are easy to exploit are of high-severity and researchers have labeled them as particularly 'dangerous'. It allows attackers to execute code remotely with root privileges on Salt master repositories to carry out a number of commands.

Salt is employed for the configuration, management, and monitoring of servers in cloud environments and data centers. It provides the power of automation as it scans IT systems to find vulnerabilities and then brings automation workflows to remediate them. It gathers real-time data about the state of all the aspects and it employs effective machine learning and industry expertise to examine threats more precisely. In a way, it is used to check installed package versions on all IT systems, look out for vulnerabilities, and then remediate them by installing fixes.

The two vulnerabilities, the first one called CVE-2020-11651 is an authentication bypass flaw and the other one CVE-2020-11652 is a directory transversal flaw, as per the discovery made by F-Secure researchers. The attackers can bypass all authentication and authorization controls by exploiting the vulnerabilities that would allow them to easily connect to the request server. Once the authentication is bypassed, attackers can post arbitrary control messages and make changes in the master server file system. All Salt versions prior to 2019.2.4 and 3000.2 are affected by the vulnerabilities.

Xen Orchestra, an effective all in one user-friendly web-based management service became the latest victim of cybercriminals involved in the exploitation of the two high-severity vulnerabilities in Salt. The attackers ran a cryptominer on the firm's virtual machines (VMs), it has been noticed by the company on the 3rd of May as various services on their infrastructure became inaccessible.

While commenting on the matter, Olivier Lambert, Xen Orchestra's founder, said, “A coin mining script ran on some of our VMs, and we were lucky nothing bad happened to us – no RPMs affected and no evidence that private customer data, passwords or other information have been compromised. GPG signing keys were not on any affected VMs. We don’t store any credit card information nor plain text credentials. Lesson learned...”

“In short, we were caught in a storm affecting a lot of people. We all have something in common: we underestimated the risk of having the Salt master accessible from outside,” he added. “Luckily, the initial attack payload was really dumb and not dangerous. We are aware it might have been far more dangerous and we take it seriously as a big warning. The malware world is evolving really fast: having an auto-update for our management software wasn’t enough."

“If you are running SaltStack in your own infrastructure, please be very careful. Newer payloads could be far more dangerous,” warned Lambert.