Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Misconfiguration. Show all posts
Threat Landscape
Linux malware Misconfiguration Security flaw Threat Landscape

Stealthy Malware Has Infected Thousands of Linux Systems Since 2021

 

Aqua Security researchers have raised concerns about a newly identified malware family that targets Linux-based machines in order to get persistent access and control resources for crypto mining. The malware, known as perfctl, purports to exploit over 20,000 different types of misconfigurations and known vulnerabilities and has been active for over three years. 

Aqua Security uncovered that perfctl uses a rootkit to hide itself on compromised systems, runs as a service in the background, is only active when the machine is idle, communicates via a Unix socket and Tor, installs a backdoor on the infected server, and attempts to escalate privileges. The malware's handlers have been detected deploying more reconnaissance tools, proxy-jacking software, and a cryptocurrency miner. 

The attack chain begins with the exploitation of a vulnerability or misconfiguration, followed by the deployment and execution of the payload from a remote HTTP server. Next, it copies itself to the temporary directory, terminates the old process, deletes the initial binary, and runs from the new location. 

The payload contains an attack for CVE-2021-4043, a medium-severity Null pointer dereference vulnerability in the open source multimedia framework Gpac, which it uses to get root access. The flaw was recently uploaded to CISA's Known Exploited Vulnerabilities database. 

In addition to the cryptominer, the malware was observed copying itself to numerous additional locations on the computers, dropping a rootkit and popular Linux applications modified to function as userland rootkits. It uses a Unix socket to handle local communications and the Tor anonymity network for external command-and-control (C&C). 

"All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defence mechanisms and hinder reverse engineering attempts," the company said. 

Furthermore, the malware monitors specific files and, if a user logs in, it suspends activities to conceal its presence. It also ensures that user-specific configurations are executed in Bash contexts, allowing the server to run normally. 

For persistence, perfctl alters a script such that it is executed before the server's legitimate workload. It also attempts to terminate the processes of any additional malware it detects on the infected PC. 

The deployed rootkit hooks into various functions and modifies their functionality, including changes that allow "unauthorised actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behaviour of authentication mechanisms," according to Aqua Security. 

The cybersecurity firm found three download servers linked to the attacks, as well as other websites that were likely hacked by the threat actors, resulting in the finding of artefacts used in the exploitation of vulnerable or misconfigured Linux servers. 

“We identified a very long list of almost 20K directory traversal fuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up files (such as the XML) the attacker can run to exploit the misconfiguration,” the company added.
Read more »
User Data
Data Breach Data Leak Flightaware Misconfiguration User Data

Flight Aware User Data Leaked Following Misconfiguration

 

FlightAware, a flight tracking company, urges some customers to change their account login passwords after a data breach may have compromised private data. This Houston-based technology company provides aircraft tracking data in both real time and historical format.

Furthermore, it is recognised as the world's largest flight-tracking platform, with a network of 32,000 Automatic Dependent Surveillance-Broadcast (ADS-B) ground stations spread across 200 nations.

However, the firm recently disclosed in a statement posted on the California Attorney General's website that it experienced a data security breach on January 1, 2021. The breach was triggered by a misconfiguration that led to a setup error. 

Moreover, the company only discovered the issue on July 25, 2024, exposing private user data for nearly three years. As of now, the company has yet to reveal whether the exposed data was misused or stolen during its unprotected state for three years. 

In their initial announcement, FlightAware stated that they had discovered a setup issue that might have unintentionally exposed user IDs, passwords, and email addresses associated with their accounts. Whether or not users chose to add certain data categories to their accounts—such as full names, phone numbers, IP addresses, shipping addresses, billing addresses, social network profiles, and birth dates—may have had an influence on some users.

Critical information may also be compromised for certain accounts, including the last four digits of your credit card numbers, the status of the pilot, account activity (flights seen and comments left), and your Social Security Number (SSN). 

FlightAware, on the other hand, claimed that they had rectified the configuration issue and that any account holders whose data was compromised would be advised to change their passwords when they logged back into the platform. The company also assured all clients who got the security issue notification that they would be given a free two-year identity protection package and encouraged them to report any suspicious activity to local law enforcement authorities. 

Finally, the discovery of this unintentional data breach suggests that potentially impacted users should be wary of unwanted mailings. Threat actors could have used the exposed data for nefarious purposes such as identity theft and phishing.
Read more »
Misconfiguration
API security cloud compliance Cloud Computing Cloud Migration Cloud Security Cyber Security Cybersecurity data security IAM Misconfiguration

Cloud Security Report Highlights Misconfiguration and IAM as Top Threats

Traditional cloud security issues once associated with service providers are declining in significance, as per the Cloud Security Alliance's 2024 Top Threats report,  However, new challenges persist.


Misconfigurations, weak identity and access management (IAM), and insecure application programming interfaces (APIs) continue to pose the most significant risks to cloud environments. These issues have held top rankings for several years, indicating their persistent nature and the industry's ongoing focus on addressing them.

Other critical concerns include inadequate cloud security strategies, vulnerabilities in third-party resources and software development, accidental data leaks, and system weaknesses. While threats like denial of service and shared technology vulnerabilities have diminished in impact, the report highlights the growing sophistication of attacks, including the use of artificial intelligence.

The cloud security landscape is also influenced by increasing supply chain risks, evolving regulations, and the rise of ransomware-as-a-service (RaaS). Organizations must adapt their security practices to address these challenges and protect their cloud environments.

The report's findings are based on a comprehensive survey of cybersecurity professionals, emphasizing the importance of these issues within the industry.
 
Key Takeaways:
* Misconfigurations, IAM, and API security remain top cloud security concerns.
* Attacks are becoming more sophisticated, requiring proactive security measures.
* Supply chain risks, regulatory changes, and ransomware pose additional threats.
* Organizations must prioritize cloud security to mitigate financial and reputational risks. 

Read more »
Server
Amazon Cyber Security Data Misconfiguration Server

Amazon, Microsoft Cloud Leaks Highlight Lingering Misconfiguration Issues

 

A slew of household names has recently been accused of misconfigured cloud storage buckets overflowing with unencrypted data, shedding light on a cybersecurity problem that appears to have no solution. Anurag Sen, a security researcher, revealed just last week that an Amazon server had exposed data on Amazon Prime members' viewing habits. 

During the same time period, Thomson Reuters admitted that three misconfigured servers had exposed 3TB of data via public-facing ElasticSearch databases, according to Cybernews, which first reported the issues. And Microsoft admitted in mid-October that it had left an open misconfigured cloud endpoint that could have exposed customer data such as names, email addresses, email content, and phone numbers.

"The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability," Microsoft said in its statement on the misconfigured server. "We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints."

Indeed, rather than bugs, the leaks are driven by a range of misconfigurations, ranging from insecure read-and-write permissions to improper access lists and misconfigured policies, all of which could enable threat actors to access, copy, and potentially alter sensitive data from accessible data stores.

"The main concern with this kind of leak is the high impact, and that is why the threat actors go after misconfigured storage [servers] and buckets," says Ensar Åžeker, CISO at SOCRadar, the cybersecurity firm that discovered the Microsoft issue. "Once they discover [the accessible data], the bucket might ... contain huge amounts of sensitive data for one tenant [or] numerous tenants."

According to Venafi, 81% of organizations have experienced a security incident related to their cloud services in the last 12 months, with nearly half (45%) experiencing at least four incidents. According to Sitaram Iyer, senior director of cloud-native solutions at Venafi, the increase in incidents is due to the increasing complexity of cloud-based and hybrid infrastructure, as well as a lack of visibility into that infrastructure.

"Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend," he says. "The increase in this trend is most often due to misconfiguration related to access controls: While only authorized users need to be allowed access to cloud storage, a simple mistake in configuration often enables [any] authenticated users to gain access."

Companies should monitor their cloud assets on a regular basis to detect when a datastore or storage bucket has been exposed to the public internet. Furthermore, using infrastructure-as-code (IaC) configuration files when deploying cloud storage not only automates deployments but also helps eliminate errors, according to data from Snyk, a maker of security services for the software supply chain.

According to the company, implementing IaC reduces cloud misconfigurations by 70%. The division of responsibilities between cloud providers and business customers remains an issue. While the customer is responsible for configuring cloud assets, Venafi's Iyer believes that the cloud service should make configuring cloud assets as simple as possible.

"Principle of least privilege must be adopted for every aspect of the data," he says. "Access to data must be provided as needed, with proper controls and authorization policies that tie it to a specific user or service account, and proper logging of access and notifications must be implemented."

An Amazon spokesperson told Dark Reading in a statement about the Prime Video case: "A Prime Video analytics server experienced a deployment error. This issue has been resolved, and no account information (including login or payment information) was compromised."

However, misconfiguration is not always the original sin; instead, a worker or developer will deploy a "shadow" server, a container or a storage bucket unknown to the IT department and thus unmanaged by the company.

Misconfigured storage has a long history of compromising security. The issue is frequently ranked among the top ten security issues in the popular Open Web Applications Security Project (OWASP) Top 10 security list. Security Misconfiguration rose to fifth place in 2021, from sixth place in 2017. Verizon Business' annual "Data Breach Investigations Report" also highlights the outsized impact of misconfigured cloud storage: In 2021, human errors accounted for 13% of all breaches.
Read more »
User Security
Data Breach data security Exposed Severs Misconfiguration User Privacy User Security

Nearly 15 Million People Impacted by ElasticSearch Misconfiguration

 

Cybersecurity researchers at Website Planet have unearthed two misconfigured ElasticSearch servers owned by an anonymous organization using open-source data analytics software developed by SnowPlow Analytics, a London-based software vendor. 

The software allows entities to gather and examine information about their websites’ users apparently without their knowledge. It is worth noting that a web analytics tool can collect versatile data metrics. The collected information is then used for designing an extensive, detailed profile for site visitors.

According to researchers, both servers were unencrypted and required no password authorization. The unsecured servers exposed 359,019,902 records, nearly 579.4 GB of data. The exposed servers contained detailed logs of website user traffic — information that belongs to users of various websites collecting data with the open-source technology, including the following. 

• Referrer page 
• Timestamp IP 
• Geolocation data 
• Web page visited 
• User-agent data of website visitors 

The servers contained user information collected over two months in 2021. The first server contained data from September 2021 with 242,728,328 records or 389.7 GB of data gathered between September 2nd, 2021, and October 1st, 2021. 

The second server contained December 2021 data featuring 116,291,574 records or 189.7 GB of data collected between December 1st, 2021, and December 27th, 2021. Nearly 4 to 100 records of users appear on the two servers, and given that there are multiple logs for each user, this exposure might affect at least 15 million people, the researchers added. 

It is worth noting that the compromised data could have been accessed by anyone with eyes, and included geolocation and IP addresses. Additionally, the servers were live and actively updating new information at the time when they were discovered. However, neither ElasticSearch nor SnowPlow Analytics is responsible for this exposure because the company that owns the misconfigured servers is at fault. 

The data leak might have a far-reaching impact because users worldwide are affected by this exposure. However, it is unclear whether the servers were accessed by a third party with malicious intent or not. Fortunately, both exposed servers were secured after Website Planet sent alerts to concerned authorities.

To secure the data, users can employ Virtual Private Network (VPN) which hides the online activity and IP address, making the user anonymous to on-site tracking and cookies. People can also use the Tor browser to access the internet anonymously and maintain their data privacy.
Read more »
Vulnerabilities and Exploits
Credentials Leak Data Leak Misconfiguration Open Source Software Vulnerabilities and Exploits

Misconfigured Apache Airflow Servers Expose Thousands of Credentials

 

Researchers from the security firm Intezer uncovered a slew of misconfigured Apache Airflow servers that were exposing sensitive information, including credentials, from a number of IT organizations. 

Apache Airflow is an open-source workflow management software that is used by numerous businesses across the world to automate business and IT activities. 

The post published by Intezer stated, “These unsecured instances expose sensitive information of companies across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries. In the vulnerable Airflows, we see exposed credentials for popular platforms and services such as Slack, PayPal, AWS and more.” 

Researchers examined the dangers of misconfiguration for companies and their customers, as well as the most frequent reasons for data leakage from vulnerable cases. According to Intezer researchers, the majority of the stolen credentials are disclosed due to unsafe coding techniques, with many of the compromised instances having hardcoded passwords inside the Python DAG Code. 

Other misconfigured installations examined by Intezer included a publicly available configuration file (airflow.cfg) containing confidential information such as passwords and keys. 

Malicious actors may potentially alter the settings, resulting in unforeseen behaviour. Other misconfigured installations examined by Intezer included a publicly available configuration file (airflow.cfg) containing confidential information such as passwords and keys.  

Threat actors may also alter the settings, resulting in unforeseen behaviour. The credentials might likewise be exposed via the Airflow "variables" used in DAG scripts. 

As per experts,  it is quite common to find hardcoded passwords stored in these variables. Threat actors could also exploit Airflow plugins or features to execute malware that could be injected into variables. 

“There is also the possibility that Airflow plugins or features can be abused to run malicious code. An example of how an attacker can abuse a native “Variables” feature in Airflow is if any code or images placed in the variables form is used to build evaluated code strings.” 

“Variables are able to be edited by any visiting user which means that malicious code could be injected. One entity we observed was using variables to store internal container image names to execute. These container image variables could be edited and swapped out with an image containing and running unauthorized or malicious code.” 

The research focused on earlier versions of Apache Airflow and emphasised the hazards associated with using out-of-date software. The majority of the problems highlighted in the study were affected servers using Airflow v1.x; however, subsequent versions of Airflow incorporate security measures that address the aforementioned concerns. 

“In light of the major changes made in version 2, it is strongly recommended to update the version of all Airflow instances to the latest version. Make sure that only authorized users can connect.” concludes the report. “Exposing customer information can also lead to violation of data protection laws and the possibility of legal action.” 

The security firm advised, "Disruption of clients' operations through poor cybersecurity practices can also result in legal action such as class action lawsuits."
Read more »
Misconfiguration
Censys Cloud Cloud data violation Cyber Security Data Exposure database Misconfiguration

Cloud Misconfiguration is Still the Leading Source of Cloud Data Violations

 

Almost everybody by now is workings from home and 84 percent are worried that new security vulnerabilities have been generated with the quick move towards 100 percent remote working. 

Cloud service providers built their administration panels' user interface purposefully to mislead consumers and charge for more services than originally intended. 

Although it was never demonstrated as a systematic business strategy, reports and alerts of a data breach have overwhelmed the internet in recent years since a cloud-based database has indeed been misconfigured and confidential information ultimately leaked. 

Throughout the past month, Censys, a security company that specializes in census-like inspections on the internet, looked closely at the cloud-based services, hoping to uncover what the best potential origin of misconfiguration might be for cloud-based businesses. As per the study, Censys has found over 1.93 million cloud server databases that have been displayed publicly without even any firewall or other authentication measures. The security company arguments that threat actors will discover and target these databases utilizing older vulnerability exploits. In addition, if the database was unintentionally leaked, it could also use a weak or even no password at all, disclosing it to all those who have detected its IP address. 

Censys reported having been used to scan MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle and that nearly 60 percent of all disclosed servers were MySQL databases which represent 1.15 million of the 1.93 million overall exposed DBs. 

The security agency also searched to find ports that could also be exposed by clouds service as they are normally used for remote management applications like SSH, RDP, VNC, SMB, Telnet, Team Viewer, and PC Anywhere. Censys retained that access to all these remote managing port must not be easily discovered but rather secured by Access Control Lists, VPN tunnel, or other traffic filtering solutions, although the underlying cause of these applications is that the systems can be remotely logged into. 

Another very significant discovery was indeed the virtual exposure of the RDP login screens by more than 1.93 million servers. 

Microsoft and several others have also indicated that many violations of security have also been caused by attackers obtaining access to an enterprise through compromised RDP credentials. Which included attacks on a broad range of actors, including DDoS botnets, crypto mining activities, ransomware gangs, and government-funded actors. 

Most organizations do not operate internally with just one cloud services provider infrastructure, but instead use several solutions, many of which might not have the same access or default settings, allowing several systems to become accessible even though IT personnel are not supposed to do so. While some cloud providers have taken measures to improve their dashboards and to clarify how those controls operate, the wording of each cloud provider is still substantially different, and some system administrators are still often confused. 

Censys said, “it expects the issue of misconfigured services to remain a big problem for companies going forward.”
Read more »
Technology
Breach Cloud Services Misconfiguration Technology

33.4 Billion Records Exposed In Breaches Due To Cloud Misconfigurations?


With the rise in the number of records ‘exposed’ by cloud misconfigurations year after year from 2018 to 2019 by 80%, there is an evident ascent in the total cost to organizations related with those lost records. As organizations keep on embracing cloud services quite swiftly however they neglect to implement legitimate cloud security measures, sadly, specialists anticipate that this upward trend would remain.


Charles “C.J.” Spallitta, Chief Product Officer at eSentire says, “The rush to adopt cloud services has created new opportunities for attackers – and attackers are evolving faster than companies can protect themselves. The fact that we have seen a 42% increase from 2018 to 2019 in cloud-related breaches attributed to misconfiguration issues proves that attackers are leveraging the opportunity to exploit cloud environments that are not sufficiently hardened. This trend is expected to continue as more organizations move to the cloud,”

“Additionally, common misconfiguration errors that occur in cloud components expand and advance the attacker workflow. Real-time threat monitoring in cloud assets is critical, given the unprecedented rate of scale and nature of cloud services. Organizations should seek-out security services that distill the noise from on-premise and cloud-based security tools while providing broad visibility to enable rapid response when threats are found,” Spallitta concluded.


Key report findings: 
  1. 81 breaches in 2018; 115 in 2019 – a 42% increase
  2. Tech companies had the most data breaches at 41%, followed by healthcare at 20%, and government at 10%; hospitality, finance, retail, education, and business services all came in at under 10% each
  3. 68% of the affected companies were founded prior to 2010, while only 6.6% were founded in 2015 or later
  4. 73 (nearly 42%) of known affected companies experienced a merger or acquisition (M&A) transaction between 2015 and 2019, which indicates cloud security is an area of risk for companies involved in merging disparate IT environments
  5. Elasticsearch misconfigurations accounted for 20% of all breaches, but these incidents accounted for 44% of all records exposed
  6. The number of breaches caused by Elasticsearch misconfigurations nearly tripled from 2018 to 2019
  7. S3 bucket misconfigurations accounted for 16% of all breaches, however, there were 45% fewer misconfigured S3 servers in 2019 compared to 2018 
  8. MongoDB misconfigurations accounted for 12% of all incidents, and the number of misconfigured MongoDB instances nearly doubled YoY


Read more »
Subscribe to: Posts (Atom)