Search This Blog

Showing posts with label cloud storage. Show all posts

Vulnerability in OCI Could Have Put the Data of Customers Exposed to the Attacker

 

A vulnerability called 'AttatchMe', discovered by a Wiz engineer could have allowed the attackers to access and steal the OCI storage volumes of any user without their permission. 

During an Oracle cloud infrastructure examination in June, Wiz engineers disclosed a cloud isolation security flaw in Oracle Cloud Infrastructure. They found that connecting a disk to a VM in another account can be done without any permissions, which immediately made them realize it could become a path for cyberattacks for threat actors. 

Elad Gabay, the security researcher at Wiz made a public statement regarding the vulnerability on September 20. He mentioned the possible severe outcomes of the exploitation of the vulnerability saying this could have led to “severe sensitive data leakage” for all OCI customers and could even be exploited to gain code execution remotely. 

To exploit this vulnerability, attackers need unique identifiers and the oracle cloud infrastructure's environment ID (OCID) of the victim, which can be obtained either through searching on the web or through low-privileged user permission to get the volume OCID from the victim's environment. 

The vulnerability 'AttachMe' is a critical cloud isolation vulnerability, which affects a specific cloud service. The vulnerability affects user data/files by allowing malicious actors to execute severe threats including removing sensitive data from your volume, searching for cleartext secrets to move toward the victim's environment, and making the volume difficult to access, in addition to partitioning the disk that contains the operating system folder. 

The guidelines of OCI state that volumes are a “virtual disk” that allows enough space for computer instances. They are available in the two following varieties in OCI: 

1. Block volume: it is detachable storage, allowing you to expand the storage capacity if needed. 

2. Boot volume: it is a detachable boot volume device containing the image used to boot a system such as operating systems, and supporting systems. 

As soon as Oracle's partner and customer Wiz announced the vulnerability, Oracle took immediate measures to patch the vulnerability while thanking wiz for disclosing the security flaw and helping them in resolving it in the last update advisory of receiving the patch for the vulnerability.

Experts Discover New CloudMensis Spyware Targeting Apple macOS Users

 

Researchers in cybersecurity have revealed previously unknown malware targeting Apple's macOS operating system. The malware, nicknamed CloudMensis by the Slovak cybersecurity firm ESET, is reported to exploit popular cloud storage systems like pCloud, Yandex Disk, and Dropbox only for receiving attacker orders and exfiltrating files. 

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé stated in a report published. 

CloudMensis was found in April 2022, written in Objective-C, and is intended to attack both Intel and Apple semiconductor architectures. The initial infection vector for the attacks, as well as the targets, are yet unclear. However, the malware's limited dissemination suggests that it is being utilised as a part of a carefully targeted operation targeting businesses of interest. 

ESET discovered an attack chain that exploits code execution and administrative rights to launch a first-stage payload that is used to retrieve and run a second-stage malware housed on pCloud, which exfiltrates documents, screenshots, and email attachments, among other things. 

The first-stage downloader is also known to delete evidence of Safari sandbox escape and privilege escalation attacks in 2017 that make use of four now-resolved security flaws, implying that CloudMensis may have gone undetected for many years. The implant also includes capabilities that allow it to circumvent the Transparency, Consent, and Control (TCC) security system, which requires all programmes to seek user permission before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes. 

It accomplishes this by exploiting another fixed security flaw known as CVE-2020-9934, which was discovered in 2020. The backdoor also allows you to access a list of running processes, capture screenshots, list files from removable storage devices, and launch shell commands and other arbitrary payloads. 

Furthermore, an examination of information from the cloud storage infrastructure reveals that the pCloud accounts were established on January 19, 2022, with compromises beginning on February 4 and spiking in March. 

M.Léveillé said, "The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."

Hopper: A Tool Developed at Dropbox to Detect Lateral Movement Attacks

 

Hopper, a tool developed by Dropbox, UC Berkeley, and other organizations, adds a different method to spotting hostile activities in corporate networks. Hopper is a tool that examines an organization's login records to look for indicators of lateral movement attacks. The tool has two main components: a causality engine that tracks login paths and a score algorithm that determines which login paths contain lateral movement attack features. 

Dropbox, Inc., is an American corporation based in San Francisco, California. It offers cloud storage, file synchronization, personal cloud, and client software service. Dropbox organizes files into a single location on the user's computer by generating a dedicated folder. The contents of these folders are synchronized with Dropbox's servers as well as other computers and devices where the user has installed Dropbox, ensuring that all devices have the same files. 

Many data breaches and security issues in businesses begin with the compromising of a basic device or low-privileged user account. As attackers succeed, they acquire access to increasingly important systems and resources by moving beyond their initial point of entry to other workstations and administrator-level user accounts. This is referred to as "lateral movement," and it is a warning indication of an oncoming security disaster. 

It's difficult to tell the difference between typical user activity and malevolent lateral movement. Detecting the change in the past required establishing precise network activity rules or using anomaly detection methods. “Unfortunately, the scale of modern enterprises inherently produces large numbers of anomalous-but-benign logins, causing traditional anomaly detection to generate too many false alarms,” the researchers explain.

Hopper was created with the understanding that lateral movement attacks have two distinct characteristics – attackers want to gain access to a server that their original victim doesn't have, and they'll need to attack privileged accounts like sysadmins to accomplish so. Hooper can identify which behaviors require additional inquiry by filtering and reviewing login pathways based on these two vectors. 

Hopper was evaluated using 15 months of data from Dropbox's enterprise network, which includes more than 780 million login events and 326 simulated red team attacks. Other lateral movement detection techniques produced eight times more false alarms than the tool, which was able to detect 94.5 % of attacks.

This Malware that Uses Steam Profile Images to Hide Itself

 

In May 2021, a researcher tweeted about a new malware that hides itself inside Steam profile photos. Except for a warning that the length of the ICC profile data is not acceptable, common online EXIF tools don't provide anything significant about the image. Because the malware is stored in encrypted form inside the PropertyTagICCProfile value instead of an ICC profile. The goal of an ICC profile is to appropriately map colours for output devices like printers. 

Valve's Steam is a video game digital distribution platform. In September 2003, it was released as a separate software client as a mechanism for Valve to give automatic updates for their games, and it was later expanded to include games from third-party publishers. Digital rights management (DRM), server hosting, video streaming, and social networking services are all available through Steam. It also includes community features such as friends lists and groups, cloud storage, and in-game voice and chat functions, as well as game installation and automatic updates.

While concealing malware in the metadata of an image file is not a novel concept, leveraging a gaming platform like Steam has never been done before. This strategy makes sense from the attacker's perspective: It's as simple as updating a profile image file to remove the infection. There are also a lot of valid accounts, and blacklisting the Steam platform would have a lot of unintended consequences. 

It should be emphasised that no installation of Steam – or any other game platform – is required to become a target for this strategy. The Steam platform only acts as a medium for the malicious file to be distributed.  

An external component, which only sees the profile image on one Steam profile, does the hard lifting in terms of downloading, unpacking, and executing the malicious payload. This payload can be transmitted by a variety of methods, including manipulated emails and infected websites. 

The Steam profile image is neither contagious or executable in any way. It acts as a vehicle for the malware itself. It requires the extraction of a second malware. This malware sample's second component is a downloader. It uses TripleDES to decode the payload from the picture and has the password "PjlDbzxS#;8@x.3JT&4MsTqE0" hardcoded.

More than 17,000 Domains Affected with Code which Steals Card Data



Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

Cybercriminals exploited the lack of access control in Amazon's cloud storage services and affected over 17,000 domains via automated attacks which reconstructed JavaScript code randomly, without monitoring if the code could load a payment page.

The exploit came as a part of Megacart operations, originated in the month of April; attackers injected payment card skimming code to a high number of domains with JavaScript files in poorly configured Amazon S3 buckets which granted writing permissions to the person finding them.

According to the security researchers at RiskIQ, the discovery of these S3 buckets had been automated by the authors of the campaign.

Referencing from the findings made by Yonathan Klijnsma, RiskIQ's head of threat research, "Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket."

"Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content," he added.

The fact that a large number of websites employing Amazon's cloud storage services fell short in fortifying access to the corresponding assets played a major role for Magecart campaign in realizing its malicious objectives.