Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Amazon Web Services. Show all posts

The Impact of AI-Generated Content on Internet Quality

 



In a comprehensive study conducted by the Amazon Web Services (AWS) AI Lab, a disconcerting reality has surfaced, shaking the foundations of internet content. Shockingly, an extensive 57.1% of all sentences on the web have undergone translation into two or more languages, and the culprit behind this linguistic convolution is none other than large language model (LLM)-powered AI.

The crux of the issue resides in what researchers term as "lower-resource languages." These are languages for which there is a scarcity of data available for the effective training of AI models. The domino effect begins with AI generating vast quantities of substandard English content. Following this, AI-powered translation tools enter the stage, exacerbating the degradation as they transcribe the material into various other languages. The motive behind this cascade of content manipulation is a profit-driven strategy, aiming to capture clickbait-driven ad revenue. The outcome is the flooding of entire internet regions with an abundance of deteriorating AI-generated copies, creating a dreading universe of misinformation.

The AWS researchers express profound concern, eemphasising that machine-generated, multi-way parallel translations not only dominate the total translated content in lower-resource languages but also constitute a substantial fraction of the overall web content in those languages. This amplifies the scale of the issue, underscoring its potential to significantly impact diverse online communities.

The challenges posed by AI-generated content are not isolated incidents. Tech giants like Google and Amazon have grappled with the ramifications of AI-generated material affecting their search algorithms, news platforms, and product listings. The issues are multifaceted, encompassing not only the degradation of content quality but also violations of ethical use policies.

While the English-language web has been experiencing a gradual infiltration of AI-generated content, the study highlights that non-English speakers are facing a more immediate and critical problem. Beyond being a mere inconvenience, the prevalence of AI-generated gibberish raises a formidable barrier to the effective training of AI models in lower-resource languages. This is a significant setback for the scientific community, as the inundation of nonsensical translations hinders the acquisition of high-quality data necessary for training advanced language models.

The pervasive issue of AI-generated content poses a substantial threat to the usability of the web, transcending linguistic and geographical boundaries. Striking a balance between technological advancements and content reliability is imperative for maintaining the internet as a trustworthy and informative space for users globally. Addressing this challenge requires a collaborative effort from researchers, industry stakeholders, and policymakers to safeguard the integrity of online information. Otherwise this one-stop digital world that we all count on to disseminate information is destined to be doomed. 



SCARLETEEL Hackers Target AWS Fargate in Latest Cryptojacking Campaign

 

An continuing sophisticated attack effort known as SCARLETEEL continues to target cloud settings, with threat actors currently focusing on Amazon Web Services (AWS) Fargate.

According to a new report from Sysdig security researcher Alessandro Brucato, "Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture."

The cybersecurity firm originally revealed SCARLETEEL in February 2023, describing a complex attack chain that resulted in the theft of confidential information from AWS infrastructure and the installation of bitcoin miners to illicitly profit from the resources of the compromised systems.

However, Sysdig told The Hacker News that it "could be someone copying their methodology and attack patterns." Cado Security's follow-up investigation revealed possible connections to the well-known cryptojacking outfit TeamTNT.

The threat actor's recent action is a continuation of his propensity to target AWS accounts by taking advantage of weak public-facing web apps in order to achieve persistence, steal intellectual property, and maybe earn $4,000 per day utilizing bitcoin miners.

According to Brucato, "The actor discovered and exploited a flaw in an AWS policy which allowed them to escalate privileges to AdministratorAccess and gain control over the account, enabling them to then use it however they wanted."

The rival starts by taking advantage of JupyterLab notebook containers that are set up in a Kubernetes cluster. Using this initial foothold, the adversary conducts reconnaissance on the target network and gathers AWS credentials to gain further access to the victim's environment.

The installation of the AWS command-line tool and the Pacu exploitation framework for later exploitation come next. The assault is notable for using a variety of shell scripts, some of which target AWS Fargate compute engine instances, to retrieve AWS credentials.

"The attacker was observed using the AWS client to connect to Russian systems which are compatible with the S3 protocol," Brucato said, adding the SCARLETEEL actors used stealthy techniques to ensure that data exfiltration events are not captured in CloudTrail logs.

Other actions done by the attacker include the employment of a DDoS botnet virus known as Pandora and the Kubernetes Penetration Testing tool Peirates, all of which point to continued efforts on the side of the actor to monetize the host.

"The SCARLETEEL actors continue to operate against targets in the cloud, including AWS and Kubernetes," Brucato said. 

"Their preferred method of entry is exploitation of open compute services and vulnerable applications. There is a continued focus on monetary gain via crypto mining, but [...] intellectual property is still a priority."



A Swiss Hacker Uncovered Confidential FBI Terrorism Screening Center File

Personal information of civilians who were on an outdated version of the US Government's No Fly List and Terrorist Screening Database was found on an open server by a 23-year-old Swiss hacker.

On January 12, Maia Arson Crimew, an influential hacker noted by the Department of Justice in a separate indictment, discovered the highly sensitive documents while browsing through a search engine full of unsecured servers. 

The text file "NoFly.csv," which refers to the subset of people in the Terrorist Screening Database who have been prohibited from flying because of suspected or known ties to terrorist organizations, was found after server analysis.

According to crimew, there were reportedly more than 1.5 million entries on the list overall. The data includes names and birthdates. The number of distinct people was significantly fewer than 1.5 million because it also contained many aliases.

According to the hacker, CommuteAir, an Ohio-based minor airline, maintained the insecure Amazon Web Services cloud server that contained the No Fly List as well as confidential data on roughly 1,000 of the airline's employees. Their passport numbers, addresses, and phone numbers were apparently included in this data.

Many of the names on the list appeared to be of Arabic or Middle Eastern ancestry, however, there were also Hispanic and Anglican-sounding names. The uncovered No-Fly list had several well-known names, including Viktor Bout, a Russian arms dealer who was recently released from a US prison in exchange for US basketball player Brittney Griner. Also included on the list were alleged IRA members, an Irish paramilitary group. Another person was listed as being 8 years old by crimew based on their birth year.

While those on the smaller No-fly list are known or suspected terrorists who are prohibited from traveling to or inside the US, those on the Terrorist Screening Database may be subject to enhanced security checks and inspections when traveling.

According to the FBI, a list of people shared among government agencies is the Terrorism Screening Database, which is intended to prevent the kind of intelligence failures that took place before 9/11. The more constrained, smaller No Fly List is contained within it. People who have been screened for terrorism may be subject to further security checks and limitations. No one from the No Fly List is allowed to board an airplane in the United States.

Cloudflare Blocks a  DDoS Attack with 15 million Requests Per Second

 

On Wednesday, Cloudflare, an internet infrastructure company, revealed it has successfully resisted one of the largest volumetric distributed denials of service (DDoS) attacks ever seen. A DDoS attack with a pace of 15.3 million requests per second (rps) was discovered and handled earlier this month, making it one of the greatest HTTPS DDoS attacks ever. 

According to Cloudflare's Omer Yoachimik and Julien Desgats, "HTTPS DDoS assaults are more pricey of necessary computational resources due to the increased cost of establishing a secure TLS encrypted connection." "As a result, the attacker pays more to launch the assault, and the victim pays more to mitigate it. Traditional bandwidth DDoS assaults, in which attackers seek to exhaust and jam the victim's internet connection bandwidth, are different from volumetric DDoS attacks. Instead, attackers concentrate on sending as many spam HTTP requests as possible to a victim's server to consume valuable server CPU and RAM and prevent legitimate visitors from accessing targeted sites."

Cloudflare previously announced it mitigated the world's largest DDoS attack in August 2021, once it countered a 17.2 million HTTP requests per second (rps) attack, which the company described as nearly three times larger than any prior volumetric DDoS attack ever observed in the public domain. As per Cloudflare, the current attack was launched from a botnet including about 6,000 unique infected devices, with Indonesia accounting for 15% of the attack traffic, trailed by Russia, Brazil, India, Colombia, and the United States. 

"What's intriguing is the majority of the attacks came from data centers," Yoachimik and Desgats pointed out. "We're seeing a significant shift away from residential network Internet Service Providers (ISPs) and towards cloud compute ISPs." According to Cloudflare, the attack was directed at a "crypto launchpad," which is "used to showcase Decentralized Finance projects to potential investors." 

Amazon Web Services recorded the largest bandwidth DDoS assault ever at 2.3 terabytes per second (Tbps) in February 2020. In addition, cybersecurity firm Kaspersky reported this week about the number of DDoS attacks increased 4.5 times year over year in the first quarter of 2022, owing partly to Russia's invasion of Ukraine.

AWS, and Alibaba Cloud was Attacked by Crypto Miners

 

An intel source recently provided Cisco Talos with modified versions of the TeamTNT cybercrime team's infected shell scripts, an earlier version of which was documented by Trend Micro. The malware creator modified these tools after learning that security experts had disclosed the prior version of its scripts. These scripts are intended primarily for Amazon Web Services (AWS), but they might also be used on-premise, in containers, or in other Linux instances. 

There are multiple TeamTNT payloads focusing on bitcoin mining, persistence, and lateral movement employing tactics like identifying and installing on with all Kubernetes pods in a local network, in addition to the primary credential stealer scripts. A script containing user credentials for the distribution system server and another with an API key which may allow remote access to a tmate shared login session is also included. Defense evasion functions aimed at defeating Alibaba cloud security technologies are included in some TeamTNT scripts.

When it comes to decision making obtaining credentials, the script looks for them in the following places and APIs: 

  • It attempts to obtain the string 'AWS' from /proc/*/environ from the Linux system environment variables. 
  • Obtaining the string 'AWS' from Docker environment variables with the command $(docker inspect $) (docker ps -q).
  • /home/.aws/credentials and /root/.aws/credentials are the default AWS CLI credential file locations.
While the query itself will not be caught by Cisco Secure Cloud Analytics, the alert "AWS Temporary Token Persistence" will detect later use of these credentials to generate further temporary credentials. Finally, the virus saves any credentials acquired by the preceding functions to the file "/var/tmp/TeamTNT AWS STEALER.txt" and uses cURL to transfer it to the URL http://chimaera[.]cc/in/AWS.php before deleting it. 

No CloudTrail, GuardDuty, or SCA events were generated when the script ran on the target EC2 instance for all network traffic was restricted by the VPC Security Group such as the script could not access TeamTNT's servers. 

The core of the defense impairment functions is directed against Alibaba Cloud Security's numerous agents, how, they also target Tencent Cloud Monitor and third-party BMC Helix Cloud Security, agents. While the bulk of malicious scripts targets AWS Elastic Compute Cloud (EC2) virtual machines, these bots are most typically detected running inside Alibaba Cloud Elastic Compute Service (ECS) or a Tencent Cloud VM. They could theoretically be put on a VM operating on AWS or any other service, but it would be unusual. TeamTNT makes no attempt to disable AWS CloudWatch, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other popular cloud security tools in the United States. 

The Alibaba defense damage routines have been retrieved and saved here from the script Kubernetes root payload 2.sh. Since static analysis of the defense impairment functions is problematic due to the presence of multiple Base64 encoded strings, those functions have been decrypted and placed back into the file ali-defense-impairment-base64-decoded.sh.txt. 

"Cybercriminals who have been exposed by security researchers should update those tools to keep functioning successfully," stated Darin Smith of Talos. 

The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been leveraged to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into existing attacks. To deploy the cryptocurrency miners, the exploitation efforts employ a unique web shell, but not before switching off the firewall and disabling other virtual currency miner processes.

A Data Breach To An AWS Portal Glitch By Ravkoo, A US-based Online Pharmacy

 

Ravkoo, an online prescription filling service, suffered a data breach, exposing health and other sensitive information. The company's prescription interface is hosted by Amazon Web Services (AWS). 

A security incident occurred in a specific instance that saved prescription information, allowing the information to be easily accessed. The unauthorized access occurred in September 2021, and the Ravkoo security team discovered it in October of that year. 

On January 3rd, 2022, around 150,000 potentially affected customers received breach notification letters. Ravkoo has discovered no cause to assume the exposed data was spreading or being utilized for nefarious activities at the time of writing their public statement, but that could change. The FBI and other authorities have been notified, and they are working with Ravkoo to investigate the situation further to determine who may be responsible. 

"Ravkoo has no indication that any of your personal information has been or will be exploited as a result of this occurrence at this time. Nonetheless, out of an abundance of caution, Ravkoo chose to alert you about this incident," according to Alpesh Patel, the online pharmacy's CEO, because it hasn't received any reports of identity theft relating to the data breach since September 27, the date of the incident. Ravkoo also claims to have reported the event to the appropriate authorities and to be working with forensic experts to examine the issue and improve its security posture. The hacker also provided records of 340,000 prescriptions written by Ravkoo between November 3, 2020, and September 11, 2021, totaling $8.5 million in medicine prices, according to Micah Lee of The Intercept. 

Ravkoo's identity monitoring services are available to users who may have been affected by the breach. The scope of the exposed data has not been released, however, the concerned parties should report any unlawful activity they see. Health information can be sold and exploited to commit medical identity theft, as we discussed earlier this week. For those who have their information utilized unlawfully, this might result in a variety of problems. Following an occurrence like this, it's critical to remain vigilant.

643GB of Customer Information Exposed in a Data Breach Suffered by Bizongo

 

The issue of data fraud has been on a rapid rise, as of late, and evidently so as data breaches are a matter of serious concern for data applications in all aspects of life. In recent days, few Indian start-ups have suffered several data violations. 

In the light of that, an alarming data violation within the packaging acquisition company Bizongo, a digital platform located in Mumbai, India, was discovered by the Website Planet Security Team. As just at end of December 2020, the team disclosed an incorrect bucket belonging to Bizongo that leaves highly confidential data potentially exposed to hackers and other unauthentic sources. Due to the complexity of the breach, more than a thousand organizations and hundreds of thousands of people could be affected. 

The key concern of Bizongo is serving Indian firms and there is no indication that their facilities extend beyond Indian borders. While its website domain has just been altered to 'dotcom,' it indicates that international companies have the potential of becoming a part of Bizongo. 

With more than 400 customers across multiple sectors, Bizongo is an online packing market, with over 860 million packings shipped to date. With customers using their Business to Business (B2B) supply chain and vendor management systems, Bizongo has disclosed almost 2.5 million (643Gb) data files that contain names, addresses, billing numbers, and customer payment information, with Amazon, Flipkart, Myntra, Swiggy and Zomato being some of their prime customers. 

A malfunctioning Amazon Web Services (AWS) S3 bucket operated by Bizongo was indeed the cause of the data leak as per the security team of Website Planet. There were two kinds of files in the bucket — customer bills and dispatch labeling. 

In a blog post, the Website Planet wrote, “With clear examples of branded shipping labels and customer receipts, finding the owner of the breached database was reasonably straightforward. All of the exposed data was identified as accurate, with the data belonging to real individuals.” 

The exact period during which this data wasn’t secured is currently unclear. The team, nevertheless, noted that the violation was detected and registered on 30 December 2020. While Bizongo has never responded to this data breach, on 8 January 2021, when the breach was closed, the website planet security staff revised the bucket anyway. 

Although the Indian data security legislation has not been enforced yet, Bizongo remains guilty of almost any misreporting of personal data. Affected individuals have a legitimate right to pursue civil proceedings and reimbursement. 

Any Indian company or packaging provider using the Bizongo platform also faces the possibility of this infringement affecting them. Concerned parties should seek further clarification from Bizongo themselves on their data and this violation. Since they cannot be sure if non-ethical attackers and fraudsters access unsecured data. However, the information leaked is likely to be detected, so users should be mindful of a variety of risks. 

“We take data security very seriously and implement best security practices to keep our and our customer data secure. We have taken strong measures to prevent such accidental misconfiguration from happening in the future,” the Bizongo added.

A Bug in iPhone Call Recording App Exposed Clients Data

 

A security vulnerability in a famous iPhone call recording application exposed thousands of users' recorded conversations. The flaw was found by Anand Prakash, a security researcher and founder of PingSafe AI, who tracked down that the aptly named Automatic Call Recorder application permitted anybody to access the call recordings from different clients — by knowing their phone number. 
 This application can track and record calls without an internet connection and can alter the voices of recordings, upload them to Dropbox, Google Drive, or One Drive, and also can translate in up to 50 dialects. All the client information gets stored in the company’s cloud storage on Amazon web services. This cloud storage has somewhere around 130,000 audio recordings that make up almost 300 GB. 

 Security circumstances like this are disastrous. Alongside affecting client's security, these issues likewise debilitate the organization's image and give an additional benefit to the contenders, said Anand Prakash. “This wasn’t just a violation of data privacy but also affected the users physically and at cyber risk, if their recorded conversations carry sensitive personal information. App makers that go wrong in investing in their cybersecurity must accept that the fines they could face for non-compliance with data privacy laws are extremely expensive – not to mention the cost of losing their customers' trust” he added. 

The bug was detected by Anand Prakash on the 27th of the last month when he was able to modify the web traffic and supplant the enlisted telephone number with someone else's number utilizing a proxy site called Burp, which gave him admittance to that person's call records and details. Fortunately, the bug was fixed by Saturday, March 6th, and the glitch-free version was launched in the Apple App Store. 

The call recorder clients were advised to uninstall the previous variant and download the latest rendition that is 2.26 or newer which is accessible on the Apple App Store. The paid variant is $6.99 for 7 days; additionally, they allow a three-day trial period. Their most basic monthly membership costs $14.99, with a 12 months advance, and has a few other options as well.

Clickjacking Vulnerability Spamming the User’s Facebook Wall


A Polish Security Researcher who works under the name of Lasq, found a malevolent spam campaign that spams the users' Facebook wall by exploiting the vulnerability. The said vulnerability came into his notice after he saw it repeatedly being abused by a Facebook spammer group.

The vulnerability as indicated by Lasq is known to reside in the mobile version of the Facebook for the most part through popups while the desktop version stays unaffected.

The link that is the root of all the spamming gives off an impression of being facilitated in an Amazon Web Services (AWS) bucket and diverts the user to a comic website, after they are requested to confirm their ages in French. In any case, even after the user has tapped on the link and done whatever it requested, it was still found to show up on the user's Facebook wall.

At the point when Lasq researched about this issue he found that the spammers were utilizing codes to abuse the IFrame component of Facebook's mobile sharing dialog. He tested for it then with the popular browsers, like the Chrome, Chromium, Edge, IE, Firefox and every other program which displayed X-Edge-Options error and thusly published a blog post with the technical subtleties. He suspected clickjacking.

Later he gathered that because Facebook had disregarded the X-Edge-Options header for the mobile sharing discourse, the "age verification" popup which displayed prior, skirted Facebook's system.


Lasq reached out to Facebook, yet shockingly they declined to fix the issue contending that it is operating in as intended and the case has been closed within 12 hours from an underlying report and clickjacking is an issue just when an attacker some way or another alters the state of the users' account.

On being reached by ZDNet, Facebook essentially stressed on the part that they are consistently enhancing their "clickjacking detection systems" to forestall spam.