Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Web Services. Show all posts
Web Services
Amazon AWS Bling Libra Cloud Attacks Cloud Vulnerabilities CyberCrime Cybersecurity CyberThreat Microsoft GitHub Privacy Web Services

Bling Libra Shifts Focus to Extortion in Cloud-Based Attacks

 


It was observed during an incident response engagement handled by Unit 42, that the threat actor group Bling Libra (which was responsible for distributing ShinyHunters ransomware) had shifted from extortion to extortion of victims rather than its traditional tactic of selling/publishing stolen data in an attempt to increase their profits. 

During this engagement, it was also demonstrated how the group was able to acquire legitimate credentials, which were accessed from public repositories, to gain initial access to an organization's Amazon Web Services (AWS) environment through its public username and password. The compromised credentials had limited impact due to the limited permissions associated with them, but Bling Libra managed to infiltrate the organization's AWS environment and conduct reconnaissance operations on it during this time. 

The threat actor group used various tools for gaining information and accessing S3 bucket configurations, interacting with S3 objects, as well as deleting files from the service using tools such as the Amazon Simple Storage Service (S3) Browser and WinSCP. As a result of previous jobs with high-profile data breaches, including the Microsoft GitHub and Tokopedia incidents in 2020, Bling Libra has developed a special part of their business model that enables them to monetize stolen data through underground marketplaces. 

There has, however, been a significant change in the methods that Unit 42 implements, which have been reported in a recent report. As of 2024, Bling Libra has revitalized its business model from data theft to extortion, primarily targeting vulnerabilities within cloud-based environments to heighten its revenue. As Unit 42 explained in its latest report, Bling Libra obtained AWS credentials from a sensitive file that was exposed online to perform the latest attack. 

AWS account credentials were obtained from an Identity and Access Management (IAM) user, which would have provided the attackers with access to the victim's account on Amazon Web Services (AWS). While the permissions for accessing Amazon S3 resources were restricted, Bling Libra exploited them to gain a foothold in the cloud environment even though they were limited. Even though Bling Libra uses the same method of accessing victims for the first few minutes, it has instead instigated the double-extortion tactics normally associated with ransomware gangs - they initially steal data from victims and threaten to publish it online if they do not pay the ransom. 

According to the researchers, Bling Libra used credentials from a sensitive file exposed by the attacker on the Internet as a way of stealing the credentials, even though this file contained a variety of credentials. Aside from these exposed AWS access keys, the group also alleged that it "targeted a few other one-time credentials that were exposed by this individual as well as a few other exposed AWS access keys belonging to this individual.". 

Using these credentials, it is possible for the threat actors to gain access to the AWS account where the IAM user resides and to use the AWS API call to interact with the S3 bucket under the context of the AmazonS3FullAccess policy, which allows all permissions to be granted to users. The attackers in this case sat on the network and lurked for about a month before launching an attack that led to the exfiltration of information, its deletion from the environment, and the recovery of an extortion note demanding ransom payment. 

Their ransom note gave them a week to make their payment. It has been reported that Bling Libra also created new S3 buckets in the aftermath of their attack, presumably to mock the organization about the attack, as well. Ticketmaster's attack in June was notable because of how much data Bling Libra was able to obtain during this attack. At the time, the organization claimed that a total of more than half a million records were stolen, some of which contained Personal Identifiable Information (PII) such as names, emails, addresses, and partial credit card information. 

In May, the same group also claimed responsibility for several other attacks on other companies, including Ticketek Entertainment Group (TEG), in Australia, that occurred around the same period as Ticketmaster. Like Ticketmaster, TEG was attacked at the beginning of May. This group has been associated with several significant data breaches that have affected millions of records of data, and the implications have been severe. 

In the final phase of the attack, Bling Libra created new S3 buckets with mocking names to signify their control over the environment, illustrating their ability to manipulate the system. The threat group known as Bling Libra has adopted a new tactic, pivoting to extortion as a primary method for monetizing their cyber breaches. 

Following their recent cloud-based attacks, the group sent out extortion emails demanding payment in exchange for the return of stolen data and the cessation of further malicious activities. This shift in strategy underscores their focus on using extortion as a central means to profit from their operations. A recent report by Unit 42 offers a comprehensive analysis of Bling Libra's operational tools, particularly emphasizing their use of S3 Browser and WinSCP. 

These tools enable the threat actors to interact seamlessly with Amazon Web Services (AWS) environments. The report provides in-depth insights that assist incident responders in distinguishing between legitimate tool usage and activities indicative of a security breach. To counteract such threats, Unit 42 strongly advises organizations to adhere to the principle of least privilege, ensuring that users have only the minimal level of access necessary to perform their functions. 

Additionally, they recommend implementing robust security measures, including the use of AWS IAM Access Analyzer and AWS Service Control Policies. These tools are essential for mitigating the risks associated with similar attacks on cloud infrastructure. As businesses increasingly depend on cloud technologies, maintaining a proactive and vigilant cybersecurity posture is critical. Organizations must be diligent in their efforts to protect their cloud environments from sophisticated threat actors like Bling Libra.
Read more »
Web Services
AI tools Artificial Intelligence Chatbots Cyber Security Healthcare Data Oracle Web Services

Oracle and Cohere Collaborate for New Gen AI Service

 

During Oracle's recent earnings call, company founder Larry Ellison made an exciting announcement, confirming the launch of a new generation AI service in collaboration with Cohere. This partnership aims to deliver powerful generative AI services for businesses, opening up new possibilities for innovation and advanced applications.

The collaboration between Oracle and Cohere signifies a strategic move by Oracle to enhance its AI capabilities and offer cutting-edge solutions to its customers. With AI playing a pivotal role in transforming industries and driving digital transformation, this partnership is expected to strengthen Oracle's position in the market.

Cohere, a company specializing in natural language processing (NLP) and generative AI models, brings its expertise to the collaboration. By leveraging Cohere's advanced AI models, Oracle aims to empower businesses with enhanced capabilities in areas such as text summarization, language generation, chatbots, and more.

One of the key highlights of this collaboration is the potential for businesses to leverage the power of generative AI to automate and optimize various processes. Generative AI has the ability to create content, generate new ideas, and perform complex tasks, making it a valuable tool for organizations across industries.

The joint efforts of Oracle and Cohere are expected to result in the development of state-of-the-art AI models that can revolutionize how businesses operate and innovate. By harnessing the power of AI, organizations can gain valuable insights from vast amounts of data, enhance customer experiences, and streamline operations.

This announcement comes in the wake of Oracle's recent acquisition of Cerner, a healthcare technology company, further solidifying Oracle's commitment to revolutionizing the healthcare industry through advanced technologies. The integration of AI into healthcare systems holds immense potential to improve patient care, optimize clinical processes, and enable predictive analytics for better decision-making.

As the demand for AI-powered solutions continues to rise, businesses are seeking comprehensive platforms that can deliver sophisticated AI services. With Oracle and Cohere joining forces, organizations can benefit from an expanded suite of AI tools and services that can address a wide range of industry-specific challenges.

The collaboration between Oracle and Cohere highlights the growing importance of AI in driving innovation and digital transformation across industries. As businesses increasingly recognize the value of AI, partnerships like this one are crucial for pushing the boundaries of what AI can achieve and bringing advanced capabilities to the market.

The partnership between Oracle and Cohere signifies a significant step forward in the realm of AI services. The collaboration is expected to deliver powerful generative AI solutions that can empower businesses to unlock new opportunities and drive innovation. With Oracle's expertise in enterprise technology and Cohere's proficiency in AI models, this collaboration holds great promise for businesses seeking to leverage the full potential of AI in their operations and strategies.
Read more »
Web Services
Apps Cyber Security Malicious actor saaS Supply Chain Attack Unauthorized access Web Services

DoControl: Growing its SaaS Security Platform

DoControl offers an integrated, automated, and risk-aware SaaS Security Platform that protects apps and data which are essential to corporate operations promotes operational efficiency and boosts productivity. Protecting data and business-critical SaaS apps through automated remediation is DoControl's key strength.

DoControl's newest module adds shadow SaaS application identification, monitoring, and remediation to build on earlier advancements that target mission-critical use cases and better defend companies from SaaS supply chain assaults. By establishing machine identities that are frequently overprivileged, unapproved of, and unmonitored, SaaS application-to-application communication capabilities raise the risk. To address regulatory gaps and automatically close supply chain-based attack vectors, DoControl's SaaS Security Platform extension offers total control and transparency across all authorized and unauthorized SaaS apps.

One service platform that delivers unified security across various apps is required by the industry as a result of the rapid expansion of SaaS applications, the need to integrate them, or the economic pressures to integrate vendors. DoControl has established itself as the end-to-end SaaS security platform supplier, including CASB, DLP, Insider Risk, and Workflows, so now Shadow Apps enable security teams to accomplish more with less effort.

Extensive shadow application governance is aided by the DoControl SaaS Security Platform's expansion:

Facts and Awareness: All interlinked  SaaS applications within a company's estate can be found by organizations, both sanctioned and unsanctioned. Businesses can spot issues of non-compliance and comprehend the high-risk SaaS platforms, apps, or users vulnerable inside the SaaS estate with rigorous surveying and inventories.

Analyze and Operate: Utilizing pre-approval rules and workflows that demand end users present a business explanation for acquiring new apps, companies can conduct app reviews with business users. Security staff can also place suspect applications in quarantine, limit a user's access rights, and revoke such privileges.

Automated Cleanup: Organizations can automate the application of security policies throughout the entire SaaS application stack by using low-code/no-code solutions. Through automated patching of various threat vectors, DoControl's Security Workflows limit vulnerability brought on by third-party apps and stop unauthorized or high-risk app usage.

Data security is essential, but several systems lack the level of specificity and set of capabilities modern businesses require to secure sensitive data and operations, particularly in the intricate and linked world of SaaS apps. DoControl finds every SaaS user, partner company, asset, and metadata, as well as OAuth applications, groups, and activity events. Without hindering business enablement, DoControl helps to lower risk, prevent data breaches, and manage insider risk.


Read more »
Web Services
CircleCI Cyber Attacks Cybersecurity Software Tracking Web Services

After a Security Incident, CircleCI Urges Customers to Rotate Secrets

 


There has been a security threat affecting CircleCI, an American software development service, and the service has urged its users to rotate their secrets to avoid this kind of catastrophe. 

Security Issue Alerts for CircleCI Users

It has recently been announced that the American DevOps platform CircleCI is urging its users after a security incident to rotate their secrets. CircleCI is one of the most popular CI/CD platforms today, providing developers with continuous integration and delivery, enabling them to create code more quickly. A million people use this tool each year, and thousands of companies rely on it for their business. However, in the wake of this security breach, they have been warned. 

Rob Zuber, the Chief Technology Officer of CircleCI, has stated on the CircleCI blog that all secrets stored in CircleCI should be rotated immediately. This includes variables in the project environment variables and contexts that may contain cryptographic information. This issue was also addressed by CircleCI on Twitter, warning customers to take precautions. 

CircleCI assured its users that building applications with CircleCI was safe and that the company offered a secure platform. 

Besides sharing tools intended to assist teams in tracking down all the potentially compromised secrets, CircleCI has also announced it is working with Amazon Web Services to notify those customers who might have their tokens breached. 

Earlier, CircleCI warned customers regarding the circulation of a credential harvesting scam. This scam was attempting to trick users into entering their GitHub login credentials through what was presented as updated Terms of Service. 

Zuber mentioned in a blog that it would be wise for customers from December 21, 2022, to January 4, 2023, to review their internal logs for their systems and ensure that no unauthorized access was made to them. A further point that Zuber brought up was that all API tokens associated with Projects have been invalidated, and as a result, users will have to replace them. 

Details on CircleCI Security Incident Not Provided

It is imperative to note that CircleCI has notified users of a security issue. It has offered advice on how to protect data. However, further details have yet to be released about what the problem is and what it entails. Despite this, as Rob Zuber stated in the blog post he wrote about CircleCI, it appears that the company intends to provide more details about the incident shortly. 

CircleCI Security Incidents Are Not New

CircleCI has dealt with breaches that have occurred in the past, although it is not clear what the details of the incident were. A breach occurred in 2019 when a third-party analytics vendor gained access to sensitive data through the infiltration of the company's network. 

Furthermore, an attacker gained access to several usernames, email addresses, branch names, repository URLs, and IP addresses that can be used as attack credentials. According to the company, users were warned to review their repository and branch names when the issue occurred.
Read more »
Web Services
Cyber Security Default Access Port Exposed Servers Security Risk Web Services

Over 3.6M MySQL Servers Found Unguarded Online

 

Researchers at The Shadowserver Foundation have unearthed over 3.6 million MySQL susceptible MySQL servers on the internet, making them a lucrative target to attackers and extortionists. 

In scans conducted last week, researchers identified 3.6 million exposed MySQL servers using the default port, TCP port 3306. Out of 3.6 million, 2.3 million of these servers are linked over IPv4, while 1.3 million devices are connected over IPv6.

"While we do not check for the level of access possible or exposure of specific databases, this kind of exposure is a potential attack surface that should be closed," explains the report from Shadow Server.

The country with the most accessible IPv4 servers is the United States (at more than 740,000), followed by China (just shy of 300,000), and Germany (at roughly 175,000). 

The US also leads when it comes to accessible IPv6 MySQL servers (with close to 461,000 instances) followed by the Netherlands (at over 296,000), and Singapore (at 218,000). A detailed explanation of the results of the scan is mentioned below:  

• Total exposed population on IPv4: 3,957,457 
• Total exposed population on IPv6: 1,421,010 
• Total "Server Greeting" responses on IPv4: 2,279,908 
• Total "Server Greeting" responses on IPv6: 1,343,993 
• MySQL services can be accessed through the internet in 67% of cases. 

According to researchers, it is common for web services and applications to connect to remote databases. To mitigate the risks, servers should be guarded properly so only authorized devices can connect to them. 

Furthermore, public server exposure should always be accompanied by strict user policies, altering the default access port (3306), enabling binary logging, monitoring all queries closely, and enforcing encryption. Administrators are also recommended to keep their MySQL servers updated at all times especially since attacks targeting MySQL servers are not uncommon. 

"It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface)," Shadowserver explained in a post regarding the MySQL findings. "If you do receive a report on your network/constituency, take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server." 

Failing to secure MySQL database servers can result in data breaches, ransom demands, remote access trojan (RAT) infections, or even Cobalt Strike compromises.
Read more »
Subscribe to: Posts (Atom)