Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cloud Misconfiguration. Show all posts

OpenSea NFT Market Users' Identities Were Exposed via a Bug

In 2022, OpenSea had more than 1 million members who had registered and more than 121 million people visited the website each month. Because of this, OpenSea is not only the biggest NFT market but also a highly attractive target for cybercriminals. Any platform flaw could present a chance for criminal activity and result in catastrophe for gullible consumers.

The cross-site search vulnerability, which a hacker can use to gain user identities, was made possible by a misconfiguration.

According to the report, OpenSea has subsequently issued a patch to address the problem. In order to reduce the possibility of additional exploitation, the patch limits cross-origin communication. The vulnerability no longer exists, according to the cyber security company's analysis of the remedy.

Web applications which use query-based search systems are vulnerable to cross-site search. By submitting queries and looking for variations in the search system's behavior when it returns or doesn't, it enables an attacker to retrieve sensitive data from another origin.

After confirming that the fundamental exploit strategies were effective, researchers started looking at OpenSea's search feature. ElasticSearch was referenced by the company in one of their job listings, therefore this is probably the engine they utilize for their search function. 

With the help of ElasticSearch, you can swiftly search through and analyze huge amounts of data. ElasticSearch's capacity to normalize language via language-specific analyzers and stemmers is one of its important features.

The $13.3 billion market's use of the incorrectly configured iFrame-resizer library is the root of the problem. Cross-site search vulnerability occurs when this library is used in environments where cross-origin communication is unrestricted. This problem resulted from OpenSea's lack of restrictions.

Misconfiguration permits the existence of this bug and user identity exposure. Given that the NFT ecosystem is solely predicated on anonymity, this kind of weakness might have major financial repercussions for OpenSea because, if exploited, the attacker could conduct phishing assaults. They could also keep tabs on those who made the most expensive NFT purchases.

Immediately after the vulnerability was made public, OpenSea patched it by limiting cross-origin communication. This reduced the vulnerability's potential for further exploitation. In order to stop the exploitation of these platforms, it is crucial to be constantly on the lookout for inherent faults and vulnerabilities.


Misconfiguration Identified in Google Cloud Platform

 

A misconfiguration discovered in the Google Cloud Platform could allow threat actors to gain complete control over virtual devices by exploiting legitimate features in the system, researchers at Mitiga, a Cloud Incident Response firm, stated. 

Mitiga uncovered a misconfiguration several months ago while examining Google Cloud Platform’s Compute Engine (GCP), specifically virtual machine (VM) services. The Cloud incident response vendor identified a misconfiguration that allowed attackers to send and receive data from the VM and possibly secure complete control over the system. However, Mitiga emphasizes that this is not a security loophole, or system error – it’s described as a “dangerous functionality”. 

Mitiga notes that malicious actors could use a compromised metadata API, named “getSerialPortOutput”, which is used for the purpose of tracking and reading serial port keys. The researchers described the API call as a “legacy method of debugging systems”, as serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, given that this is Linux. 

"We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw," Andrew Johnston, principal consultant at Mitiga, stated. 

After reporting the findings to Google, the company agreed that misconfiguration could be exploited to bypass firewall settings. Mitiga proposed two changes to the getSerialPortOutput function by Google, including restricting its use to only higher-tiered permission roles and allowing organizations to disable any additions or alterations of VM metadata at runtime. 

Additionally, the company advised Google to revise its GCP documentation, to further clarify that firewalls and other network access controls don’t fully restrict access to VMs. However, Google disagreed with a majority of the recommendations. 

"After a long exchange, Google did ultimately concur that certain portions of their documentation could be made clearer and agreed to make changes to documentation that indicated the control plane can access VMs regardless of firewall settings. Google did not acknowledge the other recommendations nor speak to specifics regarding whether a GCP user could evade charges by using the getSerialPortOutput method," Johnston wrote in the report.

50% of Misconfigured Containers Hit by Botnets in an Hour

 

Aqua Security announced on Monday that information gathered from container honeypots over a six-month period indicated that 50% of misconfigured Docker APIs are attacked within 56 minutes of being set up. 

According to the study, it takes the opponents' bots an average of five hours to scan a new honeypot. The quickest scan took only a few minutes, while the longest scan took 24 hours. This revelation, according to Assaf Morag, a principal data analyst with Aqua's Team Nautilus, emphasizes the need of discovering and resolving cloud misconfigurations quickly or preventing them from occurring before app deployment. 

Security professionals, according to Morag, must be aware that even the smallest misconfiguration could expose their containers and Kubernetes clusters to a cyberattack. 

“The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” stated Morag. 

“Although cryptocurrency mining is still the lowest hanging fruit and thus more targeted, we have seen more attacks that involve the delivery of malware, establishing of backdoors, and data and credentials theft. Focusing on misconfigurations is important, but companies also need a more holistic approach that includes a focus on supply chain attacks.” 

The findings of this paper were incorporated into the MITRE ATT&CK Container Framework's development. Container security has been on MITRE's radar for a while, but it wasn't until later that the business started noticing enough reported activity to start analyzing the area and add it to ATT&CK, according to Adam Pennington, MITRE ATT&CK director. 

“We’ve gone from occasional anecdotes about security incidents to a number of organizations regularly detecting and talking about intrusions,” Pennington said. 

Cloud misconfigurations have become a serious risk for container users, according to Michael Cade, senior global technologist for Kasten by Veeam. 

“Misconfigurations are one of the ways that containers are uniquely exposed, basically as a default to ease development burdens. They are a likely point of ingress for container attacks, so it’s extremely important to have an effective remediation plan in place,” Cade stated.