Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label data scam. Show all posts

Security researcher says Azure Tags are security threat but Microsoft disagrees

 

Tenable recently identified a notable security issue within Microsoft's Azure Network service tags. While Tenable classified this as a high-severity vulnerability, Microsoft disagreed with this classification. Despite their differences, both companies jointly disclosed the security issue on Monday. 

What is Azure? 

Azure is Microsoft's comprehensive public cloud platform, offering over 200 services. These include Platform as a Service (PaaS) for application development and operation, Infrastructure as a Service (IaaS) for virtual machines, networking, and storage, and Managed Database Services for simplified database management. Azure supports developers, IT professionals, and business owners, providing the tools to build, run, and manage applications across multiple environments, including on-premises and edge locations. This flexibility and scalability make Azure adaptable to a wide range of organizational needs. 

What is the Issue?

Azure service tags represent groups of IP addresses for various Azure services, streamlining the creation of access control rules. These tags can be used in firewall settings to permit traffic from specific Azure services. However, Tenable uncovered a serious flaw: attackers could potentially bypass firewall rules that rely exclusively on service tags by masquerading as trusted services. 

Specific Vulnerability Scenario 

The vulnerability arises under the following conditions: Inbound traffic is permitted through a service tag. Services allowing inbound traffic might let users control parts of web requests, such as the URL path or destination host. An attacker in one tenant (Tenant A) could exploit this to access resources in another tenant (Tenant B) if the target allows traffic from the service tag and lacks additional authentication methods. For example, Azure Monitor Availability Tests use the ApplicationInsightsAvailability service tag for synthetic monitoring. A malicious user could exploit this setup to access endpoints in a different subscription. 

What Customer Should do? 

Reviewing and Strengthening Security Posture Azure customers using service tags should reevaluate their network settings: Recognize that relying solely on service tags does not fully secure traffic. Implement additional authentication and authorization checks for enhanced security. Ensure appropriate security measures are in place to safeguard traffic between Azure tenants. Refer to Microsoft's updated best practices for service tags and specific service guidelines. Adhere to Azure security fundamentals to secure your Azure platform and infrastructure. Enable and configure suitable monitoring controls in Azure Monitor. Example Mitigation Strategy To protect against unauthorized traffic via the ApplicationInsightsAvailability service tag, customers can create a token and include it as an HTTP header in availability tests. Validate this HTTP header in incoming requests to authenticate traffic origins, rejecting any requests missing the custom header. 

Microsoft’s Response and Mitigation Following Tenable's report, 

Conducted an extensive review and search for similar vulnerabilities. 

Updated documentation for Azure services utilizing inbound service tags. 

Released best practices for service tags to aid users in securing their environments more effectively. 

This collaborative disclosure by Tenable and Microsoft underscores the importance for Azure customers to regularly review and enhance their network security configurations. Service tags should be integrated into a comprehensive security strategy that includes robust authentication and monitoring practices.

Scammers Target Indian Users Posting Complaints on Social Media

 

The latest report from Cyble Research and Intelligence Labs (CRIL) revealed that scammers are targeting Indian residents who submit complaints on social media accounts belonging to various local firms.

Fraudsters keep an eye out on Twitter and other social media sites for customers asking for reimbursements for problems they may have had with services offered by businesses like the Indian Railway Catering and Tourism Corporation. 

Researchers claim that once fraudsters discover a victim's contact details, they would start a scam. 

"When users report complaints on social media, scammers take advantage of the opportunity to carry out phishing attacks by asking them to download malicious files to file their complaints and steal their funds from bank accounts," CRIL stated. 

Users of other popular Indian brands and organisations, including e-commerce platform Flipkart, payment service provider MobiKwik, budget airline Spicejet, and various banks, were targeted in addition to the IRCTC. 

In one case, after posting a complaint on the IRCTC's Twitter account, a user was contacted by someone impersonating an IRCTC customer service representative. While the user in this case refused to provide their information to the scammer, CRIL stated that fraudsters would use a variety of techniques to defraud victims.

Scammers, for example, may attempt to link a victim's mobile number or account via the Unified Payments Interface (UPI), send a Google form to collect sensitive information or forward a WhatsApp link to a malicious website.

"Scammers have been using Android malware in addition to other fraudulent tactics. They may send a phishing link that downloads a malicious APK file to infect the device, or they may send the malicious file via WhatsApp," the researchers added.

Fraudsters, according to the researchers, use malicious APK files with names like "IRCTC customer.apk," "online complaint.apk," or "complaint register.apk" to trick victims into revealing their banking credentials. 

They also want the victim's UPI details, credit/debit card information, and one-time passwords used for two-factor authentication. CRIL discovered one such phishing website that asked victims to enter basic information such as their name, mobile number, and complaint query before prompting them to enter sensitive banking information. It also requested the victim to install a malicious application that would allow it to steal incoming text messages from the infected device. 

According to CRIL, the scheme was perpetrated by "a group of financially motivated scammers" based in India. While it was first observed in late 2020, researchers say it has only recently begun targeting social media complaints to identify potential victims. 

"It is critical that users are aware of these scams and exercise caution when providing personal information or downloading files online," CRIL warned. 

Russia-linked APT29 Targets Diplomatic World Wide

 

Security intelligence from Mandiant has discovered a spear-phishing campaign, launched by the Russia-linked APT29 group, designed to victimize diplomats and government entities worldwide including European, the Americas, and Asia. 

The group is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack which hit hundreds of organizations. 

According to the data, the Russia-linked APT29 group popularly known as SVR, Cozy Bear, and The Dukes is active since at least 2014, along with the APT28 cyber threat group which was involved in the Democratic National Committee hack, the wave of attacks aimed at the 2016 US Presidential Elections and a November 2018 attempt to infiltrate DNC. 

The phishing emails have been masqueraded as official notices related to various embassies. Nation-state actors used Atlassian Trello, DropBox, and cloud services, as part of their command and control (C2) infrastructure. 

“APT29 targeted large lists of recipients that Mandiant suspected were primarily publicly-listed points of contact of embassy personnel. These phishing emails utilized a malicious HTML dropper tracked as ROOTSAW, which makes use of a technique known as HTML smuggling to deliver an IMG or ISO file to a victim system.” reads the analysis published by Mandiant. 

The threat actors used the HTML smuggling technique to deliver an IMG or ISO file to the targets. The ISO image contains a Windows shortcut file (LNK) that installs a malicious DLL file when it is clicked. When the attachment file opens, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. Following the steps, once the DLL file is executed, the BEATDROP downloader is delivered and installed in memory. 

“BEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own copy of ntdll.dll into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a suspended thread with RtlCreateUserThread which points to NtCreateFile...” 

 “…Following this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information is used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already been compromised”, the report read.