Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cloud based services. Show all posts

Zoom Outage Rendered Services Unavailable

 

As per the latest updates, Zoom was down and unavailable for users worldwide and was preventing them from signing in or attending any meeting or webinar through it. 
 
People complained that they were unable to start or join any meetings and some also added that they were unable to manage their zoom services on websites. 

The users also mentioned that they were getting error pages displayed with text like “Sorry the page you are looking for is currently unavailable. Please try again later” “If you are the system administrator of this resource then you should check the error log for details, faithfully yours, Nginx.”

Zoom played a crucial role during the pandemic in recent years when the importance of cloud-based software, apps, and online activities was truly valued. During the global pandemic, people were stuck inside their homes and were forced to work, study, or communicate with family through screens. The application came as a savior, helping some people in being employed, and some in learning. 

During the investigation, the reports by Downdetector stated that the breakdown of Zoom was affecting numerous users worldwide. It was also noticed that early reports were majorly from the East coast of the US and the southern UK. 

The company itself verified and posted about the issue mentioned by the users on zoom’s service status page. The issue was figured out at 6:50 a.m., as per the reports. Zoom also kept updating throughout its investigation as it posted “we have identified the issue starting and joining meetings. We will continue to investigate and provide updates as we have them.” 

Zoom is a cloud-based platform allowing people to connect with each other worldwide through video conferencing or communication through collaboration. It provides virtual meetings by either audio or video or both modes. The app works on mobile, desktops, and laptops. 
 
The people facing the issue in zoom services let out a sigh of relief when the video conferencing company posted about the fixing of unavailable services on its status page on the 15th of September. “Everything should be working properly now! We are continuing to monitor the situation.” The CEO of Zoom tweeted, putting forth an apology for the disruption of the zoom services.

Safeguarding From Container Attacks Inside the Cloud


As an alternative to virtualization, containerization has become a key trend in software development. It entails encapsulating or packaging software code and all of its dependencies so it may execute consistently and uniformly across any infrastructure. Containers are self-contained units that represent whole software environments that may be transported. They include everything a program needs to run, including binaries, libraries, configuration data, and references. Docker and Amazon Elastic, as an illustration, are two of the extra well-known choices. 

Although many containers can run on the same infrastructure and use the same operating system kernel, they are isolated from such a layer and have a little interface with the actual hosting elements, for instance, a public cloud occasion. The ability to instantly spin up and down apps  for users, is one of the many advantages of running cloud-based containers. Admins may utilize orchestration to centrally manage containerized apps and services at scale, such as putting out automatic updates and isolating any malfunctioning containers.

Container adoption is at an all-time high, worldwide businesses of all sizes are eager to jump on board. According to a poll conducted by the Cloud Native Computing Foundation (CNCF), 83 percent of respondents plan to use Kubernetes in production in 2020, up from 78 percent the year before and just 58 percent in 2018. As adoption grows, cybercriminals' interest grows as well. According to a June Red Hat study, 94 percent of respondents have experienced a Kubernetes security problem in the last 12 months. 

Larry Cashdollar, an Akamai security researcher, recently set up a basic Docker container honeypot to test what type of attention it would get from the larger web's cybercriminals. The results were alarming: in just 24 hours, the honeypot was used for four different nefarious campaigns. Cashdollar had integrated SSH protocol for encryption and developed a “guessable” root password. It wouldn't stick out as an obvious honeypot on the web because it was running a typical cloud container configuration, he explained. It would instead appear to be a vulnerable cloud instance. The assaults had a variety of objectives: one campaign aimed to utilize the container as a proxy to access Twitch feeds or other services, another attempted a botnet infection, a third attempted crypto mining, and the fourth attempted a work-from-home hoax. 

"Profit is still the key motivator for cybercriminals attacking containers," as these cases demonstrate, according to Mark Nunnikhoven, a senior cloud strategist at Lacework. "CPU time and bandwidth can be rented to other criminals for buried services, or even used to directly mine cryptocurrencies. Data can be sold or ransomed at any time. In an environment where containers are frequently used, these reasons do not change." 

According to a recent Gartner study, client misconfigurations or mistakes would be the primary cause of more than 99 percent of cloud breaches by 2025. As per Trevor Morgan, product manager at comfort AG, most businesses, particularly smaller businesses, rely on default configuration options rather than more advanced and granular setup capabilities: "Simple errors or selecting default settings  that are far less safe than customized options." The problems with configuration typically go beyond the containers themselves. Last July, for example, misconfigured Argo Workflows servers were detected attacking Kubernetes clusters. 

Argo Workflows is an open-source, container-native workflow engine for coordinating parallel activities on Kubernetes to reduce processing time for compute-intensive tasks such as machine learning and large data processing. 

According to an examination by Intezer, malware operators were using publicly available dashboards which did not require authentication for outside users to drop crypto miners into the cloud. Far above misconfiguration, compromised images or layers are the next most serious threat to containers, according to Nunnikhoven. "Lacework Labs has witnessed multiple instances of cybercriminals infiltrating containers, either through malware implants or pre-installed crypto mining apps," he said. "When a group deploys the pictures, the attacker has access to the victim's resources."

According to Gal Singer, an Aqua Security researcher, the flaw (CVE-2020-15157) was discovered in the container image-pulling process. Adversaries may take advantage of this by creating dedicated container images which stole the host's token when they were pulled into a project.  Similarly, a denial-of-service vulnerability in one of Kubernetes' Go libraries (CVE-2021-20291) was discovered to be exploited by storing a malicious picture in a registry. When the image was taken from the registry by an unwary user, the DoS condition was generated.

The second source of concern is vulnerabilities, both known and unknown. In 2021, several container flaws were discovered, but "Azurescape" was likely the most alarming. Within Microsoft's multitenant container-as-a-service offering, Unit 42 researchers found a chain of exploits that might allow a hostile Azure user to infect other customers' cloud instances. 

Containerized environments can provide unique issues in terms of observability and security controls, according to Nunnikhoven, but a comprehensive security approach can help. Researchers recommended that users apply a laundry list of best practices to secure their Kubernetes assets: 

  • Avoid using default settings; use secure passwords.
  • To prevent attackers from impersonating the token owner, do not send privileged service account tokens to anyone other than the API server. 
  • Enable the feature "BoundServiceAccountTokenVolume": When a pod ends, its token becomes invalid, reducing the risk of token theft.
  • Examine orchestrators for least-privilege settings to verify that CI/CD movements are authenticated, logged, and monitored. 
  • Be comprehensive: Create a unified risk picture that includes both cloud-based applications and traditional IT infrastructure. 
  • Have data-analysis software in place, as well as an automatic runbook that can react to the findings.

Businesse's Pascom Cloud Phone System Contains Severe RCE Flaws

 

Pascom's Cloud Phone System has been completely compromised since a combination of three unique vulnerabilities was discovered by security researchers. Daniel Eshetu of Ethiopian infosec firm Kerbit utilized a trio of less critical security issues to gain full pre-authenticated remote code execution (RCE) on the business-focused Voice over IP (VoIP) and generic communication platform. 

A path traversal vulnerability, a web server request forgery (SSRF) fault in an arbitrary piece of software, and a post-authentication RCE flaw were the three components of the successful exploit. 

The Pascom Cloud Phone Software is a complete collaboration and communication solution which enables enterprises to host and build up private telephone networks across several platforms, as well as manage, maintain, and upgrade virtual phone systems. 

According to the company's LinkedIn, "Pascom, which was founded in 1997 and is the creator of the unique pascom IP phone system software, has over 20 years of expertise providing custom VoIP telecommunications and network infrastructure solutions. By offering organizations a unique, highly professional software-based IP PBX solution, our VoIP phone systems help them add value to the communications."

An arbitrary path traversal flaw in the web interface, a server-side request forgery (SSRF) owing to an outdated third-party dependency (CVE-2019-18394), and a post-authentication command injection utilizing a daemon service are among the three flaws ("exd.pl"). 

  • The SSRF issue was caused by an out-of-date Openfire (XMPP server) jar it was vulnerable to CVE-2021-45967. This is related to CVE-2019-18394, a vulnerability in Openfire's technology that was found three years ago.
  • Instant messaging, presence, and contact list functions are all handled by XMPP, an open communication protocol. 
  • The most recent flaw was command injection in a scheduled task (CVE-2021-45966). 
To look at it another way, the vulnerabilities can be chained together to acquire access to non-exposed endpoints by sending arbitrary GET requests to obtain the administrator password, then utilizing those passwords to gain remote code execution via the scheduled job.

"This provides users full control of the device and an easy means to escalate privileges," Daniel Eshetu said, adding the attack chain may be used "to execute commands as root." The issues were reported to Pascom on January 3, 2022, and patches were released as a result. Customers who host CPS should update to the most recent version (pascom Server 19.21) as soon as possible to avoid any potential dangers.

CoinStomp Malware is Aimed at Asian Cloud Service Providers

 

Researchers have uncovered a new malware family that mines cryptocurrencies using cloud services. According to Cado Security, the malware, dubbed CoinStomp, is comprised of shell scripts that "try to target cloud compute instances hosted by cloud service providers for the purpose of mining cryptocurrencies." According to the company's researchers, the overall goal of CoinStomp is to silently breach instances in order to harness computational resources to illicitly mine for cryptocurrency, a type of attack known as cryptojacking. 

So far, a handful of attacks have targeted cloud service companies in Asia. Clues in code also referenced Xanthe, a cryptojacking threat group previously linked to the Abcbot botnet. However, the clue – found in a defunct payload URL – is insufficient to determine who is behind CoinStomp and may have been included in an "attempt to dodge attribution," according to the team. 

CoinStomp includes a variety of intriguing features. One example is its reliance on "timestomping." Timestomping is the process of modifying the timestamps of files dumped or used during a malware attack. This approach is commonly used as an anti-forensics strategy to confound investigators and thwart remedial efforts. Although the Rocke gang has previously utilized timestomping in cryptojacking assaults, it is not a common technique. On Linux, timestomping is simple with the -t flag of the touch command. 

"It seems likely that timestomping was employed to obfuscate usage of the chmod and chattr utilities, as forensic tools would display the copied versions of these binaries as being last accessed (executed) at the timestamp used in the touch command," Cado Security noted. 

Furthermore, the malware will attempt to mess with the cryptographic policies of Linux servers. Because these policies can prevent malicious executables from being dumped or run, the creator of CoinStomp has included options to disable system-wide cryptographic policies via a kill command. "This could undo attempts to harden the target machine by administrators, ensuring that the malware achieves its objectives," the researchers say. 

CoinStomp will then use a reverse shell to connect to its command-and-control (C2) server. The script then downloads and runs additional payloads as system-wide systemd services with root access. These include binaries that might be used to develop backdoors and a customized version of XMRig, which is genuine Monero mining software that has been abused for criminal purposes.

Attackers Could Use a Bug in the Squirrel Engine to Hack Games and Cloud Services

 

An out-of-bounds read vulnerability in the Squirrel programming language allows attackers to bypass sandbox limitations and execute arbitrary code within a Squirrel virtual machine (VM), giving them complete control over the underlying machine. Given where Squirrel lives – in games and embedded in the internet of things (IoT), the bug could endanger the millions of monthly gamers who play video games like Counter-Strike: Global Offensive and Portal 2, as well as cloud services like the Twilio Electric Imp IoT platform, which has an open-source code library that is ready to use. 

The issue is tracked as CVE-2021-41556, and it affects stable release branches 3.x and 2.x of Squirrel. It occurs when a gaming library known as Squirrel Engine is used to execute untrusted code. On August 10, 2021, the vulnerability was responsibly disclosed. The Squirrel Engine was designed to be a model for multi-core gaming engine efficiency. It's designed to get the most out of high-end computer hardware. 

Squirrel is an open-source object-oriented programming language used for customization and plugin development in video games and cloud applications. It's a scripting language that fits the size, memory bandwidth, and real-time demands of video games and embedded systems. 

"In a real-world scenario, an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop," researchers Simon Scannell and Niklas Breitfeld said in a report. "When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine." 

When defining Squirrel classes, the security problem involves "out-of-bounds access via index confusion." The fact that bitflags are set within indexes is problematic since it is absolutely conceivable for an attacker to establish a class definition with 0x02000000 methods, the researchers explained. 

The flaw is severe because it allows a malicious actor to create a false array that can read and write values. The researchers discovered that overwriting function pointers allowed them to "hijack the control flow of the programme and take full control of the Squirrel VM." 

While the problem was fixed as part of a code commit on September 16, the modifications have yet to be included in a new stable release, with the most recent official version (v3.1) being issued on March 27, 2016. Maintainers that utilize Squirrel in their projects should apply the available repair commit to protect themselves from assaults, according to the researchers who found the issue.

Houdini Malware is Back, and Amazon Sidewalk has Affected Enterprise Risk Assessments

 

A secure access service edge (SASE) platform's nature allows it to see a significant number of internet data flows, and the larger the platform, the more dataflows can be evaluated. A review of over 263 billion network flows from Q2 2021 reveals rising dangers, new uses for old malware, and the expanding use of consumer devices in the workplace. 

According to the Cato Networks SASE Threat Research Report, a new version of the old Houdini malware is now being used to steal device information in order to circumvent access rules that looks at both the device and the user. Attackers have prioritized spoofing device IDs, which have evolved from simple point solutions to cloud-based services. As a result, verifying device identity has become critical for strong user authentication. 

The report also shows how Amazon Sidewalk and other consumer services run on many enterprise networks, making risk assessment difficult. “Cybersecurity risk assessment is based on visibility to threats as much as visibility to what is happening in the organization’s network,” says Etay Maor, senior director of security strategy at Cato Networks. 

Maor doubts that many firms would be comfortable with on-site networks that include a variety of home gadgets, including those that are automatically signed in by Sidewalk and belong to employees' neighbours. Just as concerning, he said, "How many companies are even aware that home devices have been brought into the corporate network and are sharing the corporate infrastructure." 

“With lines blurring between the home office and the corporate network – more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment,” Maor added. 

9.5 billion network scans were discovered across Cato's platforms in Q2. Maor is certain that the company's combination of AI-based danger identification and human help assures that these aren't researcher scans. Cato also discovered about 817 million security events caused by malware, as well as over 475 million events caused by incoming or outbound contact with domains with a negative reputation.  

There were nearly 400 million policy breaches, including 241 million vulnerability scans from scanners like OpenVAS, Nessus, and others that violated Cato's security policy or common best practices for network security. The most common exploit attempt (7,957,186 attempts) was against the CVE-2020-29047 vulnerability, a WordPress wp-hotel-booking vulnerability.

SecureWorx, an Australian Cybersecurity Firm Acquired by EY

 

SecureWorx, a managed services provider, has been bought by Ernst & Young (EY) Australia for an undisclosed sum. SecureWorx, based in Melbourne, specializes in multi-cloud services, managed security operations, and security advisory services for businesses that handle sensitive data. It also offers managed security operations services 24 hours a day, seven days a week, with government-approved staff and facilities. 

“Cyber security is a critical business function that has moved beyond our clients’ technology agenda,” said recently installed EY Australia CEO David Larocca. “This is because we’re seeing a dramatic escalation in the frequency and impact of ransomware attacks that are changing the way Boards are accountable to stakeholders. Our clients are telling us that cybersecurity is one of their greatest concerns.” 

In response to new mandatory requirements in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, including sovereign cybersecurity capabilities, EY said the purchase will boost its cybersecurity services portfolio. SecureWorx CEO Philip Mulley will join EY Australia as Sovereign Cybersecurity Leader as part of the acquisition. 

“We have long admired EY and in particular the work of their cybersecurity team,” Mulley said. “Joining gives us access to EY’s global thought leadership and deep industry knowledge. For our people it provides exciting career development opportunities through industry focus, technology career paths and global reach and mobility. EY’s Cyber team in Australia is a natural, cultural fit for us.” 

The purchase was motivated by EY's desire to improve its ability to assist clients with their mandated duties under new security legislation. “The latest updates to the Security of Critical Infrastructure Act outline new requirements that will require significant investment for onshore cyber capabilities to detect and combat threats,” said EY Oceania cybersecurity lead partner Richard Bergman. 

“SecureWorx has a set of cybersecurity assets that complement EY Australia’s existing cybersecurity team and capabilities including government-accredited hosting facilities in Melbourne and Canberra and an accredited Security Operations Centre in Melbourne,” Bergman continued, adding that the purchase would complement Aleron's 2019 cybersecurity acquisition and Open Windows' earlier acquisition. 

Over the last few years, the Australian consulting industry has seen a flurry of M&A activity in the cybersecurity space, which appears to be intensifying due to rising market demand. According to a recent Boston Consulting Group report, Australia's cloud market will approach $10 billion in 2022 or 2023, up from under $5 billion three years ago.

Bugs in the Zimbra Server Could Lead to Unrestricted Email Access

 

Multiple security flaws have been uncovered in the Zimbra email collaboration software, which could be abused to compromise email accounts by sending a malicious message or even take control of the mail server if it is housed on a cloud infrastructure. Researchers from code quality and security solutions company SonarSource found and reported the flaws in Zimbra 8.8.15 in May 2021, dubbed CVE-2021-35208 and CVE-2021-35209. Since then, Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16 have been released with mitigations. 

"A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization," said SonarSource vulnerability researcher, Simon Scannell, who identified the security weaknesses. "As a result, an attacker would gain unrestricted access to all sent and received emails of all employees." 

Zimbra is a cloud-based email, calendar, and collaboration suite for businesses that comes in both an open-source and commercially supported version with extra capabilities like a proprietary connector API for synchronising mail, calendar, and contacts with Microsoft Outlook, among other things. It's utilised by more than 200,000 companies in 160 countries. 

The first flaw, discovered by Simon Scannell, could be exploited simply by opening a malicious email with a JavaScript payload. A cross-site scripting (XSS) bug (CVE-2021-35208) would be triggered in a victim's browser if they opened such a rigged email. According to SonarSource, when the payload is performed, it gives an attacker access to the victim's emails as well as their webmail session. They also claimed that it would serve as a starting point for additional assaults: “With this, other features of Zimbra could be accessed and further attacks could be launched.”

The second bug is an allow-list bypass that leads to a powerful server-side request forgery (SSRF) vulnerability (CVE-2021-35209) that may be exploited by an authenticated account belonging to a member of a targeted organisation with any permitted role. If the two bugs are combined, a remote attacker will be able to obtain valuable information from cloud infrastructure instances, such as Google Cloud API Tokens or AWS IAM credentials. 

"Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet," the company noted in its advisory. "If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly."

Apple Plans to Expand Cloud-Based Services, Enters Cloud Computing Space


Apple is planning to invest more in streamlines and increasing its cloud-based and software services like iCloud, Newsplus, and Apple Music. The expansion will go along with devices like iPads, MacBooks, and iPhones. To be entirely sure about the reliability of the cloud-based service on all the Apple devices, the company has decided to rely on AWS (Amazon Web Services) and the cloud division. AWS, as you might know, is a subunit of Amazon that offers cloud-space solutions. According to CNBC's findings, Apple is said to pay Amazon $30 Million monthly for its cloud-based services. It also means that Apple is one of the biggest customers of AWS.


Nevertheless, Apple hasn't confirmed whether it uses Amazon's cloud services besides its iCloud. According to experts, Apple also has some of its cloud services on Google. Amazon transformed the management of the data center and hosting of the applications when it brought the AWS. Being the first one to offer services like these, AWS is currently ranked top in the world of cloud hosting. Since recent times, Google Cloud and MS Azure are also trying to increase their presence in cloud-space services.

"As a matter of fact, AWS crossed the $10 billion quarterly revenue mark in Q1 2020, bringing in revenue of $10.2 billion with a growth rate of 33%. AWS accounted for about 13.5% of Amazon's total revenue for the quarter, which is on the higher end. Google Cloud, which includes Google Cloud Project (GCP) and G-Suite, generated $2.78 billion in revenue in the first quarter this year, which marked as a 52% increase over the same quarter a year ago. Microsoft does not reveal Azure revenue, but it announced that its Azure revenue grew by 59% in Q1 2020 over the same quarter a year ago," says Taarini Kaur Dang from Forbes.

As it seems, Apple knows the importance of the high-end cloud support needed for offering the best services to its customers. Similar to other tech biggies, Apple has its cloud space team called ACI (Apple Cloud Infrastructure). Noticing Apple's recent advancements, it is fair to believe that Apple might revolutionize the cloud-space world.

BEC Scams Cost American Companies Billions!


Business Email Compromise (BEC) scams have surfaced among several US companies and have caused them damage costing along the lines of Billions, mentions a warning of the Federal Bureau of Investigation.

Per sources, BECs are “sophisticated scams” aiming at businesses involving electronic payments encompassing “wire transfers or automated clearing house transfers”. Usually, these scams include a cyber-con penetrating a legitimate business email account via device intrusion procedures.

Once the access has been acquired, the cyber-con is free to deceitfully dive into the email account to obtain funds by sending emails to suppliers, loaded with invoices of modified bank account details.

The hit list mostly consists of organizations that employ cloud-based email services, which makes it easier to go for Business Email Compromise (BEC) scams.

Per FBI, specially engineered “phish kits” with the ability to impersonate the cloud-based email services are used to prompt these scams only to exploit the business accounts and request or mi-sallocate funds.

Sources mention that the Internet Crime Complaint Center (IC3) received numerous complaints over the past years about companies having experienced damages amounting to a couple of Billions in “actual losses” as a result of the BEC scams.

The IC3 focused their attention on the BEC scams right after their number began to multiply rapidly across all the states of America.

The issue allegedly stands in the configuration of the cloud-based services which makes it almost effortless for cyber-criminals to exploit the company’s email accounts.

Obviously most cloud-based services are laden with security measures that intend to block all the BEC attempts. But that depends on the ability of the users to make good use of them. The maximum of these features needs to be enabled and manually configured.

Per sources, what makes these scams dangerous is that any organization, big or small, with kerbed IT resources is vulnerable.

The cyber-cons in addition to having control over the email accounts, usually also retrieve the address books of the exploited accounts to have a list of potential targets. Hence, a single bad apple could affect the entire basket, meaning a single affected organization could have ramifications for the entire business industry.