Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label cloud storage. Show all posts

Top Tech Firms Fined for Hiding SolarWinds Hack Impact

 



The US Securities and Exchange Commission fined four major technology companies-Unisys Corp, Avaya Holdings, Check Point Software, and Mimecast—for allegedly downplaying the severity of the cybersecurity risks they faced as a result of the notorious SolarWinds hack. The companies have been accused of giving misleading information to investors regarding the severity of breaches connected with the attack on SolarWinds Orion software in 2020.

Companies Made Deceptive Filings

 The companies that had engaged in either direct or indirect deception of the extent and effect of the attacks to the investors. Settlement has been reached by these companies and they will have to pay civil penalties that include $4 million to be paid by Unisys, $1 million by Avaya, Check Point Software with a $995,000 penalty and $990,000 is payable by Mimecast.

The SEC said the companies knew their systems were compromised due to unauthorised access after the SolarWinds hack but reportedly downplayed the impact in public statements. For example, Unisys reportedly described cybersecurity risks as "theoretical," even when it confirmed two data breaches tied to the SolarWinds hack which exfiltrated gigabytes of data. Equally, Avaya apparently downplayed the severity of the breach when it revealed limited access to its email messages while investigators found that at least 145 files in its cloud storage were compromised.

Particular Findings on Each Company

1. Unisys Corp: The SEC noted that Unisys failed to disclose fully the nature of its cybersecurity risks even after it had suffered massive data exfiltration. Apparently, the company's public disclosures tagged such risks as "theoretical".

2. Avaya Holdings: Avaya allegedly made false statements as it reported that the minimal amount of e-mail messages has been accessed when actually, there is abundant evidence that access is further extensive to some files held in the cloud.

3. Check Point Software: The SEC charges that Check Point was conscious of the hack and used ambiguous language in order to downplay the severity of the attack, conceivably, therefore leaving investors under informed of the actual degree of the hack.

4. Mimecast: The SEC found that Mimecast had made major omissions in its disclosure, including failure to disclose the specific code and number of encrypted credentials accessed by hackers.

Background on the SolarWinds Breach

Another notably recent cyberattack is attributed to the Russian-linked group APT29, also known as the SVR, behind the SolarWinds hack. In 2019, malicious actors gained unauthorised access to the SolarWinds Orion software platform, releasing malicious updates between March and June 2020, that installed malware, such as the Sunburst backdoor in "fewer than 18,000" customer instances, though fewer were targeted for deeper exploitation.

Subsequently, many U.S. government agencies and also huge companies confirmed that they were hacked into during this breach. These include Microsoft, cybersecurity company FireEye, the Department of State, the Department of Homeland Security, the Department of Energy, the National Institutes of Health, and the National Nuclear Security Administration.

SEC's Stance on Transparency

The charges and fines by the SEC also serve as a warning to public companies to become transparent concerning security incidents that have affected the trust of their investors. The four companies thus settle on not having done anything wrong, but they experience considerable penalties that indicate how hard the SEC will be in holding organisations responsible to provide fair information about cybersecurity risk issues and incident concerns.

It, therefore, calls for tech firms to provide better information on cybersecurity issues as both investors and consumers continue to face increasingly complex and pervasive cyber threats.


Security Risks Discovered in Popular End-to-End Encrypted Cloud Storage Platforms

 

Recent cryptographic analysis by researchers at ETH Zurich has uncovered significant security vulnerabilities in five major end-to-end encrypted (E2EE) cloud storage platforms: Sync, pCloud, Icedrive, Seafile, and Tresorit. These platforms are collectively used by over 22 million people and are marketed as providing secure data storage. However, the study revealed that each of these platforms has exploitable flaws that could allow malicious actors to gain access to sensitive user data, manipulate files, or inject harmful data. The research was conducted under the assumption that a malicious attacker could control a server with full ability to read, modify, and inject data. 

This is a plausible scenario in the case of sophisticated hackers or nation-state actors. The researchers found that while these platforms promise airtight security and privacy through their E2EE models, their real-world implementation may fall short of these claims. Sync, for instance, exhibited critical vulnerabilities due to unauthenticated key material, which allows attackers to introduce their own encryption keys and compromise data. It was found that shared files could be decrypted, and passwords were inadvertently exposed to the server, compromising confidentiality. Attackers could also rename files, move them undetected, and inject folders into user storage. pCloud’s flaws were similar, with attackers able to overwrite private keys, effectively forcing encryption using attacker-controlled keys. 

This, coupled with public keys that were unauthenticated, granted attackers access to encrypted files. Attackers could also alter metadata, such as file size, reorder file chunks, or even inject files. Icedrive was shown to be vulnerable to file tampering due to its use of unauthenticated CBC encryption. Attackers could modify the contents of files, truncate file names, and manipulate file chunks, all without detection. Seafile also presented several serious vulnerabilities, including susceptibility to protocol downgrade attacks, which made brute-forcing passwords easier. The encryption used by Seafile was not authenticated, enabling file tampering and manipulation of file chunks. As with other platforms, attackers could inject files or folders into a user’s storage space. 

Tresorit fared slightly better than its peers, but still had issues with public key authentication, where attackers could potentially replace server-controlled certificates to gain access to shared files. While Tresorit’s flaws didn’t allow direct data manipulation, some metadata was still vulnerable to tampering. The vulnerabilities discovered by the ETH Zurich researchers call into question the marketing promises made by these platforms, which often advertise their services as providing the highest level of security and privacy through end-to-end encryption. In light of these findings, users are advised to exercise caution when trusting these platforms with sensitive data, particularly in cases where the server is compromised.  

The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings in April 2024, while Tresorit was informed in late September 2024. Responses from the vendors varied. Icedrive declined to address the issues, Sync is fast-tracking fixes, and Tresorit is working on future improvements to further safeguard user data. Seafile has promised to patch specific vulnerabilities, while pCloud had not responded as of October 2024. While no evidence suggests that these vulnerabilities have been exploited, the flaws are nonetheless concerning for users who rely on these platforms for storing sensitive data. 

The findings also emphasize the need for ongoing scrutiny and improvement of encryption protocols and security features in cloud storage solutions, as even end-to-end encryption does not guarantee absolute protection without proper implementation. As more people rely on cloud storage for personal and professional use, these discoveries are a reminder of the importance of choosing platforms that prioritize transparent, verifiable security measures.

Hackers Exploit Snowflake Data, Targeting Major Firms

 

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they gained access to some Snowflake accounts by breaching a Belarusian-founded contractor working with those customers. Approximately 165 customer accounts were potentially affected in this hacking campaign targeting Snowflake’s clients, with a few identified so far. 

It was a Snowflake account, with stolen data including bank details for 30 million customers and other sensitive information. Lending Tree and Advance Auto Parts might also be victims. Snowflake has not detailed how the hackers accessed the accounts, only noting that its network was not directly breached. Google-owned security firm Mandiant, involved in investigating the breaches, revealed that hackers sometimes gained access through third-party contractors but did not name these contractors or explain how this facilitated the breaches. 

A hacker from the group ShinyHunters said they used data from an EPAM Systems employee to access some Snowflake accounts. EPAM, a software engineering firm founded by Belarus-born Arkadiy Dobkin, denies involvement, suggesting the hacker’s claims were fabricated. ShinyHunters has been active since 2020, responsible for multiple data breaches involving the theft and sale of large data troves. EPAM assists customers with using Snowflake's data analytics tools. The hacker said an EPAM employee’s computer in Ukraine was infected with info-stealer malware, allowing them to install a remote-access Trojan and access the employee’s system. 

They found unencrypted usernames and passwords stored in a project management tool called Jira, which were used to access and manage Snowflake accounts, including Ticketmaster’s. The lack of multifactor authentication (MFA) on these accounts facilitated the breaches. Although EPAM denies involvement, hackers did steal data from Snowflake accounts, including Ticketmaster's, and demanded large sums to destroy the data or threatened to sell it. The hacker claimed they directly accessed some Snowflake accounts using the stolen credentials from EPAM’s employee. The incident underscores the growing security risks from third-party contractors and the importance of advanced security measures like MFA. 

Mandiant noted that many credentials used in the breaches were harvested by infostealer malware from previous cyber incidents. Snowflake’s CISO, Brad Jones, acknowledged the breaches were enabled by the lack of MFA and mentioned plans to mandate MFA for Snowflake accounts. This incident highlights the need for robust cybersecurity practices and vigilance, particularly when dealing with third-party contractors, to safeguard sensitive data and prevent similar breaches in the future.

IronKey: What is it & How Is It Different From Other Storage Drives

IronKey

The world of online cloud storage

We live in a world of online cloud storage, where all our data is accessible everywhere and on any gadget. This has made the act of having physical storage media a lesser concern than it once used to be and more like a throwaway gadget with which we can do some cool things.

However, removing movies and episodes from streaming services and continual modifications to social media and other online archives have made physical storage more necessary than anything. We've all had a flash drive at some point, and they've grown throughout time, getting larger and more reliable.

IoT and rising concerns

With more than 40 lakh attacks on IoT (Internet of Things) devices, India is among one of the Top 10 Victims Countries lists in the world. This can be a disappointment for Tech Freaks and companies that have just begun using IoT devices but don't consider protecting their IoT devices such as smart cameras. Hackers didn't even flinch while penetrating the systems. That's how simple the breakthrough was.

“Simple methods like password guessing are used for getting the entry in IoT devices. Some sufferers of these attacks set passwords as naive as 'Admin.' And now, India has made it to the index of the top 10 countries that fell prey to IoT attacks in 2019,” reported CySecurity in 2019.

When looking for external storage, you may come across the IronKey series, a pretty flashy and eye-catching name for a simple flash drive. What distinguishes these from conventional flash drives and makes them so expensive? And, more importantly, is it worthwhile? Here's your comprehensive guide on understanding the IronKey.

IronKey: What is it?

IronKey is a flash drive brand created in the early 2000s by IronKey, a Homeland Security-funded Internet security and privacy startup that was later bought by Kingston. These were designed to provide additional security for the government, military, and business clients. While they function similarly to other flash drives, IronKey's hardware encryption differentiates it (and makes it rather pricey).

Though software encryption is simple and secure for most files, it is not as extensive or as powerful as hardware encryption, which integrates a cryptoprocessor into the device. The IronKey flash drive uses 256-bit AES hardware-based encryption in XTS mode, as well as FIPS 140-2 Level 3 validation and on-device Cryptochip Encryption Key management. 

When you remove the flash drive, it senses physical tampering and immediately safeguards your data. You can use a sophisticated password or a secret phrase of up to 255 characters long to get to the files for further security, and if you fail to enter the right password ten times, the drive immediately shuts down and optionally destroys the files.

IronKey: Do you really need one?

So, do you require one? That varies on how you intend to make use of it. If you solely store schoolwork or images, paying $77 for an 8GB flash drive may be expensive. However, if you have sensitive corporate records or government secrets, it may be worth spending a bit more to avoid being the victim of a security breach.

Microsoft's Rise as a Cybersecurity Powerhouse

Tech titan Microsoft has emerged as an unexpected yet potent competitor in the cybersecurity industry in a time of rapid digital transformation and rising cyber threats. The company has quickly evolved from its conventional position to become a cybersecurity juggernaut, meeting the urgent demands of both consumers and enterprises in terms of digital security thanks to its broad suite of software and cloud services.

Microsoft entered the field of cybersecurity gradually and strategically. A whopping $20 billion in security-related revenue has been produced by the corporation, according to recent reports, underlining its dedication to protecting its clients from an increasingly complicated cyber scenario. This unexpected change was brought on by many strategic acquisitions and a paradigm shift that prioritized security in all of its services.

The business has considerably improved its capacity to deliver cutting-edge threat information and improved security solutions as a result of its acquisition of cybersecurity businesses like RiskIQ and ReFirm Labs. Microsoft has been able to offer a comprehensive package of services that cover threat detection, prevention, and response by incorporating these cutting-edge technologies into its current portfolio.

The Azure cloud platform is one of the main factors contributing to Microsoft's success in the cybersecurity industry. As more companies move their operations to the cloud, it is crucial to protect the cloud infrastructure. Azure has been used by Microsoft to provide strong security solutions that protect networks, programs, and data. For instance, its Azure Sentinel service uses machine learning and artificial intelligence to analyze enormous volumes of data and find anomalies that could point to possible security breaches.

Furthermore, Microsoft's commitment to addressing cybersecurity issues goes beyond its own products. The business has taken the initiative to work with the larger cybersecurity community in order to exchange threat intelligence and best practices. Its participation in efforts like the Cybersecurity Tech Accord, which combines international tech companies to safeguard clients from cyber dangers, is an example of this collaborative approach.

Microsoft's success in the field of cybersecurity is not without its difficulties, though. The broader cybersecurity sector continues to be beset by a chronic spending issue as it works to strengthen digital defenses. Microsoft makes large investments in security, but many other companies find it difficult to set aside enough funding to properly combat attacks that are always developing.



Cloud Storage: Is Stored Data Secure ?

 

The popularity of cloud storage is on the rise, both for personal and professional use. However, many people are concerned about the security of their data in the cloud. While some worry about the future-proofing of their cloud storage, others are concerned about the privacy of their personal information. 

Despite these concerns, the advantages of cloud storage in terms of convenience, scalability, and cost-efficiency make it a popular choice. Cloud storage involves storing digital data on remote servers and accessing it through an internet connection. This type of storage is fast, accessible from anywhere, easily scalable, and can serve as a backup in case of disaster. 

Additionally, third-party providers take care of server maintenance and security, freeing up the user's time for other tasks. Although security concerns exist, secure and affordable cloud storage services are available.

Cloud storage is a versatile option that can be utilized by both individuals and organizations. It offers various benefits comparable, and even superior, to traditional physical storage methods. While evaluating the security of cloud storage, it's important to consider its usefulness in providing added safety through features such as backups and the convenience it offers. it is used for:

  • Sharing Your Files With Ease
  • Cloud Disaster Recovery (CDR)
  • Backing Up Your Data
What Makes Your Data Safe in the Cloud?

Data stored on the cloud is generally more secure than stored on your hard drive. After all, cloud servers are housed in very secure cloud data centers that are constantly monitored.

So, how does cloud storage security work? What are the important security procedures in place to protect your data on the cloud?
  • Firewall-as-a-Service (FWaaS)
  • Round-the-Clock Monitoring
  • Encryption from beginning to end
  • AI-Powered Tools and Auto-Patching
While no system is perfect, cloud storage is surprisingly secure and more handy than on-site storage. All your data in the cloud is secured, continuously monitored, and safeguarded against cyber attacks. Even in the event of a disaster, your data will be preserved thanks to redundant servers.

Overall, cloud storage is a rather secure option for storing your data, and it's not going away anytime soon.

What Must You Do Before Uploading Your Sensitive Data to the Cloud?


Cloud storage has emerged as a prominent tool when it comes to managing or storing users’ data. Prior to the establishment of cloud storage technology, more than a decade ago, emailing individual files to yourself or saving them to an external drive and physically moving them from one computer to another were the two most popular methods for backing up documents or transferring them between devices. 

But now data storage has witnessed a massive breakthrough in technology, thanks to cloud storage solutions. Some of the prominent cloud storage services like Google Drive, Microsoft OneDrive, Dropbox, and Apple iCloud Drive made it dead simple to back up, store, and keep our documents synced across devices. 

Although, this convenience came to the users at a cost of privacy. When we use any of the Big 4's major cloud services, we theoretically give them—or anybody who can hack them—access to whatever we keep on their cloud, including our financial and health information, as well as our photos, notes, and diaries. 

One of the major reasons why user privacy is at stake is because all four prominent cloud service providers meagerly encrypt the documents while uploading. Since these documents are not end-to-end encrypted, it indicates that the user is the only one with the ability to decrypt. 

Minimal encryption would mean that the service provider too holds the key to decrypt users’ documents, and is capable of doing so at all times. Moreover, in some severe instances, a hacker may as well get hold of the decryption key. 

Out of the four major cloud services, Apple is the only service provider with Advanced Data Protection for iCloud, launched recently, which enables users to choose to have their documents end-to-end encrypted when stored in iCloud Drive. This makes Apple void of any access to the files, ensuring the user’s privacy. However, this setting is still optional, making the merely encrypted iCloud Drive a default setting. 

Since the remaining three major cloud storage providers are yet to provide users with the choice of end-to-end encryption and taking into consideration the exploded usage of such personal cloud services in recent years, billions of users are currently at risk of getting their sensitive documents exposed to the third party. 

Encrypt First, Then Upload to the Cloud 

It is possible to use the popular cloud storage services while preventing anyone who gains access to your account from seeing the files stored therein by encrypting those files prior to uploading them. The best part? You do not require a computer scientist or a security developer to do so. With the numerous applications, that are available for free, one could encrypt any file on one's own. 

What is Encrypto?

One such well-known encryption program is Encrypto, sponsored by a company called MacPaw. You may drag a file into the program, give it a password, and then encrypt it using industry AES-256 encryption. The software then enables you to save a file with an encrypted version (.crypto file type). 

After encrypting the files, the user can now upload the encrypted version of the file to their preferred cloud storage provider rather than the original file containing sensitive data. If your cloud storage is then compromised, the attacker should be unable to open the Crypto file without knowing the password the user has established for it. 

Encrypto is a cross-platform tool that works on both Macs and Windows PCs, despite the fact that MacPaw is known for producing Mac-specific utility apps. The recipient merely needs to download the free Encrypto app to be able to open sensitive documents that have been sent to them over email and have been encrypted using Encrypto (and you need to let them know the password, of course). 

Another nice feature that the app possesses is that it enables users to set different passwords for each file they create. One can even include a password hint in the encrypted file to remind what password is being used in the file. Users are advised to establish a password that would be difficult to decipher through brute force or something that would be difficult to guess. 

This being said, no matter the choice of app, encrypting the files yourself before uploading them to Google Drive Microsoft OneDrive, Dropbox, or iCloud Drive adds an additional layer of encryption and security to the sensitive data while still maintaining to reap the numerous benefits of cloud storage.  

Remember to Clear the Cache on Your iPhone

Websites and apps may load more quickly by taking advantage of the cache, a designated area in your iPhone that stores temporary data. As cache data use up space on your phone, it's a good idea to wipe it off frequently to improve browsing speed. When you free up space on your iPhone by clearing the browser or app cache, you may notice a speed and performance improvement. This is especially true if you're experiencing performance concerns.

Clearing cache on  iPhone

For iPhones, Safari is the default browser, which lets you clear the cache in just a few simple steps. This method has a major impact on all devices logged into your iCloud account starting with iOS 11. As a result, the caches on all of your devices will be emptied, and the next time you use them, you'll have to sign in to each one separately. Here is what to do.

1. Launch the iPhone's Settings app.
2. From the list of programs, choose Safari.
3. Choose Clear Website Data and History.
4. The pop-up box will allow you to select Clear History and Data.

Even though cleaning your browsing history in Chrome logs you out of websites, it doesn't appear to dismiss all open tabs. You will need to re-log into any websites you may have been visiting.

With Chrome, remove the iPhone cache

1. Start the Chrome application.
2. To access more options, click the three dots in the lower right corner.
3. Choose Settings by swiping up from the top.
4. On the following menu, choose Privacy and Security.
5. After that, choose Clear Browsing Data to bring up one final selection.
6. At the top-left corner of the menu, choose the desired time frame.
7. Check to see if Cached Images and Files, Cookies, and Site Data are all selected. At the very bottom of the screen, select Clear Browsing Data.


Caches and cookies 

Cookies are little files that carry passwords and personalization data and store data about your online behavior. Many cookies, including those that keep you logged in to regularly visited websites, are helpful; nevertheless, some third-party cookies track your behavior on many websites. This could contain potentially sensitive data, such as your search history and your clicked links.

Contrarily, a cache stores data files that your browser or application is likely to utilize frequently. Avoiding the need to constantly download the same data, can improve the performance of your phone.

Caches typically only need to be cleared once every two to three months. Usually, at that point, your browser will start accumulating a cache big enough to start slowing things down. One should be cautious of cleaning your cache more frequently if you visit many websites.




An In-Depth Exploration Of Cloud Hacking And Its Methods

 


Regardless of the size of a business or industry, cloud computing practices are becoming an increasingly popular IT practice among companies. It is a technological process that provides different services through the Internet on an on-demand basis. The resources involved in this process are various kinds of tools and applications, including software, servers, databases, networking, and data storage. It has become the most common threat in the industry because cloud hacking has become more popular due to its growing popularity.

Cloud computing, by using the Internet to store files, offers the possibility of saving files to a remote database instead of a proprietary hard drive or a local storage device. If an electronic device has access to the internet, it can access the data on the web and the software program that runs the data. This is as long as it has internet access.

It has therefore become the preferred option for both people and businesses for several reasons, including cost savings, increased productivity, speed and efficiency, performance, and security. 

As cloud computing is growing more and more popular, it is hardly surprising that the cloud is a target for hackers, the threat of cyber-hacking has seen a rapid increase following the widespread adoption of cloud computing. 

Cloud computing resources must be integrated into a company's cybersecurity strategy as an integral part of the defense against cybercrime to bolster the company's defenses. Using ethical hackers to scan cloud computing environments for vulnerabilities will allow businesses to maintain the highest degree of security. This will enable them to patch any security flaws before the attackers can exploit them.

How Does Ethical Hacking Work in Cloud Computing?


Because the choices for cloud computing are so diverse, cloud computing is now being used in some form or another by 98 percent of companies. Cloud services are often perceived as more secure than their counterparts, although they have their own set of problems when it comes to cloud hacking. 

In the wake of the exponential rise of cyberattacks on cloud-based applications, businesses need to find trusted security experts who can fix vulnerabilities and close any holes that could lead to attackers entering their systems through these channels.

It is important to protect cloud computing resources from security vulnerabilities in ethical hacking, just as it is essential to protect any other part of the information technology system. In terms of ethical hacking, there are many hats that ethical hackers wear when it comes to cloud computing. A major part of what ethical hackers do in cloud computing is identify security weaknesses and vulnerabilities in the computing infrastructure for organizations. This is being done to strengthen the security of the cloud service.


The Types of Cloud Computing: What Are They?


It is imperative to know that there are several different types of cloud computing that you can select according to your requirements. As a first step to classifying cloud services, you should start by determining where the cloud services are physically located:

Cloud services that are available to the general public are often called public cloud services because they are hosted and provided by third parties.

Private clouds are the cloud services available only to private individuals who want to use them for personal purposes.  Depending on their needs, they can either be hosted by the company itself or by a third-party service provider.

Alternatively, we can say that the customer uses a hybrid cloud strategy, in which the customer uses both public and private cloud services, for e.g., he uses a public cloud application and a private cloud database to store sensitive data.

Ethical hackers should familiarize themselves with the following cloud computing offerings as examples of how they can make use of the internet:

There is a common misconception regarding what Software as a Service means. Software as a service (SaaS) means that the cloud provider is responsible for updating and maintaining the software applications for the customer. The use of SaaS for business purposes includes the use of productivity applications such as Microsoft Office 365 as a common example.

'PaaS' stands for the platform as a service, and it provides customers with the ability to develop and run applications on a platform to that they have access. There are several examples of cloud computing services available, such as Microsoft Azure and Google App Engine.

As the name suggests, Infrastructure as a Service (IaaS) offers its customers access to hardware resources, such as computing, memory, storage, and networks through a subscription-based service. It should be noted, however, that customers have to provide their software that runs on the infrastructure.

Cloud hacking methodology: Essentials


Following the explanation of “What is cloud hacking?” and “What is cloud exploitation?" we will examine the methodology of cloud hacking. These are some examples of the kinds of attacks that ethical hackers must be aware of in the world of cloud computing to protect themselves.

Attacks using brute force, a brute-force attack is the easiest way to break into a cloud-based service, which involves trying several different combinations of usernames and passwords to see which one works. After gaining access to the system, adversaries can proceed to wreak havoc on the system and exfiltrate data from the cloud the same way they can do with any other kind of attacker.

Phishing is a different strategy than brute force attacks. This is because it impersonates a trusted third party to steal credentials from users by impersonating that third party. This is a more sophisticated kind of attack where the message is tailored to a particular individual consisting of data that is very specific.

A credential stuffing attack is one in which employees at an organization reuse their usernames and passwords across multiple services within their company. This puts the company at risk of being the victim of a credential-stuffing attack. An adversary can verify whether or not a list of user credentials stolen from a previous attack is a valid account on a different IT system. This is done by browsing through its database containing the stolen credentials.

As the cloud computing industry moves further towards the advancement of cloud computing, ethical hackers play an active role in the process. There have been an increasing number of cyberattacks on cloud infrastructure over the past few years. Ethical hacking is a key factor in making sure all businesses of any size and in any sector have appropriate defenses in place.

Vulnerability in OCI Could Have Put the Data of Customers Exposed to the Attacker

 

A vulnerability called 'AttatchMe', discovered by a Wiz engineer could have allowed the attackers to access and steal the OCI storage volumes of any user without their permission. 

During an Oracle cloud infrastructure examination in June, Wiz engineers disclosed a cloud isolation security flaw in Oracle Cloud Infrastructure. They found that connecting a disk to a VM in another account can be done without any permissions, which immediately made them realize it could become a path for cyberattacks for threat actors. 

Elad Gabay, the security researcher at Wiz made a public statement regarding the vulnerability on September 20. He mentioned the possible severe outcomes of the exploitation of the vulnerability saying this could have led to “severe sensitive data leakage” for all OCI customers and could even be exploited to gain code execution remotely. 

To exploit this vulnerability, attackers need unique identifiers and the oracle cloud infrastructure's environment ID (OCID) of the victim, which can be obtained either through searching on the web or through low-privileged user permission to get the volume OCID from the victim's environment. 

The vulnerability 'AttachMe' is a critical cloud isolation vulnerability, which affects a specific cloud service. The vulnerability affects user data/files by allowing malicious actors to execute severe threats including removing sensitive data from your volume, searching for cleartext secrets to move toward the victim's environment, and making the volume difficult to access, in addition to partitioning the disk that contains the operating system folder. 

The guidelines of OCI state that volumes are a “virtual disk” that allows enough space for computer instances. They are available in the two following varieties in OCI: 

1. Block volume: it is detachable storage, allowing you to expand the storage capacity if needed. 

2. Boot volume: it is a detachable boot volume device containing the image used to boot a system such as operating systems, and supporting systems. 

As soon as Oracle's partner and customer Wiz announced the vulnerability, Oracle took immediate measures to patch the vulnerability while thanking wiz for disclosing the security flaw and helping them in resolving it in the last update advisory of receiving the patch for the vulnerability.

Experts Discover New CloudMensis Spyware Targeting Apple macOS Users

 

Researchers in cybersecurity have revealed previously unknown malware targeting Apple's macOS operating system. The malware, nicknamed CloudMensis by the Slovak cybersecurity firm ESET, is reported to exploit popular cloud storage systems like pCloud, Yandex Disk, and Dropbox only for receiving attacker orders and exfiltrating files. 

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé stated in a report published. 

CloudMensis was found in April 2022, written in Objective-C, and is intended to attack both Intel and Apple semiconductor architectures. The initial infection vector for the attacks, as well as the targets, are yet unclear. However, the malware's limited dissemination suggests that it is being utilised as a part of a carefully targeted operation targeting businesses of interest. 

ESET discovered an attack chain that exploits code execution and administrative rights to launch a first-stage payload that is used to retrieve and run a second-stage malware housed on pCloud, which exfiltrates documents, screenshots, and email attachments, among other things. 

The first-stage downloader is also known to delete evidence of Safari sandbox escape and privilege escalation attacks in 2017 that make use of four now-resolved security flaws, implying that CloudMensis may have gone undetected for many years. The implant also includes capabilities that allow it to circumvent the Transparency, Consent, and Control (TCC) security system, which requires all programmes to seek user permission before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes. 

It accomplishes this by exploiting another fixed security flaw known as CVE-2020-9934, which was discovered in 2020. The backdoor also allows you to access a list of running processes, capture screenshots, list files from removable storage devices, and launch shell commands and other arbitrary payloads. 

Furthermore, an examination of information from the cloud storage infrastructure reveals that the pCloud accounts were established on January 19, 2022, with compromises beginning on February 4 and spiking in March. 

M.Léveillé said, "The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."

Hopper: A Tool Developed at Dropbox to Detect Lateral Movement Attacks

 

Hopper, a tool developed by Dropbox, UC Berkeley, and other organizations, adds a different method to spotting hostile activities in corporate networks. Hopper is a tool that examines an organization's login records to look for indicators of lateral movement attacks. The tool has two main components: a causality engine that tracks login paths and a score algorithm that determines which login paths contain lateral movement attack features. 

Dropbox, Inc., is an American corporation based in San Francisco, California. It offers cloud storage, file synchronization, personal cloud, and client software service. Dropbox organizes files into a single location on the user's computer by generating a dedicated folder. The contents of these folders are synchronized with Dropbox's servers as well as other computers and devices where the user has installed Dropbox, ensuring that all devices have the same files. 

Many data breaches and security issues in businesses begin with the compromising of a basic device or low-privileged user account. As attackers succeed, they acquire access to increasingly important systems and resources by moving beyond their initial point of entry to other workstations and administrator-level user accounts. This is referred to as "lateral movement," and it is a warning indication of an oncoming security disaster. 

It's difficult to tell the difference between typical user activity and malevolent lateral movement. Detecting the change in the past required establishing precise network activity rules or using anomaly detection methods. “Unfortunately, the scale of modern enterprises inherently produces large numbers of anomalous-but-benign logins, causing traditional anomaly detection to generate too many false alarms,” the researchers explain.

Hopper was created with the understanding that lateral movement attacks have two distinct characteristics – attackers want to gain access to a server that their original victim doesn't have, and they'll need to attack privileged accounts like sysadmins to accomplish so. Hooper can identify which behaviors require additional inquiry by filtering and reviewing login pathways based on these two vectors. 

Hopper was evaluated using 15 months of data from Dropbox's enterprise network, which includes more than 780 million login events and 326 simulated red team attacks. Other lateral movement detection techniques produced eight times more false alarms than the tool, which was able to detect 94.5 % of attacks.

This Malware that Uses Steam Profile Images to Hide Itself

 

In May 2021, a researcher tweeted about a new malware that hides itself inside Steam profile photos. Except for a warning that the length of the ICC profile data is not acceptable, common online EXIF tools don't provide anything significant about the image. Because the malware is stored in encrypted form inside the PropertyTagICCProfile value instead of an ICC profile. The goal of an ICC profile is to appropriately map colours for output devices like printers. 

Valve's Steam is a video game digital distribution platform. In September 2003, it was released as a separate software client as a mechanism for Valve to give automatic updates for their games, and it was later expanded to include games from third-party publishers. Digital rights management (DRM), server hosting, video streaming, and social networking services are all available through Steam. It also includes community features such as friends lists and groups, cloud storage, and in-game voice and chat functions, as well as game installation and automatic updates.

While concealing malware in the metadata of an image file is not a novel concept, leveraging a gaming platform like Steam has never been done before. This strategy makes sense from the attacker's perspective: It's as simple as updating a profile image file to remove the infection. There are also a lot of valid accounts, and blacklisting the Steam platform would have a lot of unintended consequences. 

It should be emphasised that no installation of Steam – or any other game platform – is required to become a target for this strategy. The Steam platform only acts as a medium for the malicious file to be distributed.  

An external component, which only sees the profile image on one Steam profile, does the hard lifting in terms of downloading, unpacking, and executing the malicious payload. This payload can be transmitted by a variety of methods, including manipulated emails and infected websites. 

The Steam profile image is neither contagious or executable in any way. It acts as a vehicle for the malware itself. It requires the extraction of a second malware. This malware sample's second component is a downloader. It uses TripleDES to decode the payload from the picture and has the password "PjlDbzxS#;8@x.3JT&4MsTqE0" hardcoded.

More than 17,000 Domains Affected with Code which Steals Card Data



Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

Cybercriminals exploited the lack of access control in Amazon's cloud storage services and affected over 17,000 domains via automated attacks which reconstructed JavaScript code randomly, without monitoring if the code could load a payment page.

The exploit came as a part of Megacart operations, originated in the month of April; attackers injected payment card skimming code to a high number of domains with JavaScript files in poorly configured Amazon S3 buckets which granted writing permissions to the person finding them.

According to the security researchers at RiskIQ, the discovery of these S3 buckets had been automated by the authors of the campaign.

Referencing from the findings made by Yonathan Klijnsma, RiskIQ's head of threat research, "Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket."

"Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content," he added.

The fact that a large number of websites employing Amazon's cloud storage services fell short in fortifying access to the corresponding assets played a major role for Magecart campaign in realizing its malicious objectives.