CyberSecurity news

FlagThis - #cloudsecurity

Jessica Lyons@theregister.com //

Abandoned AWS S3 Buckets Facilitate Software Supply Chain Hijacking - Researchers have uncovered a critical security vulnerability in abandoned Amazon Web Services (AWS) S3 buckets that could enable attackers to hijack the global software supply chain.
Researchers at watchTowr Labs have uncovered a significant security flaw involving abandoned Amazon Web Services (AWS) S3 buckets, potentially allowing attackers to compromise the software supply chain. The analysis revealed that nearly 150 S3 buckets previously used by various organizations, including cybersecurity firms, governments, Fortune 500 companies, and open source projects, could be re-registered. This re-registration could enable attackers to inject malicious code or executables into deployment processes and software update mechanisms.

Over a two-month period, these abandoned buckets received over eight million HTTPS requests for various files, including software updates and other binary artifacts. The requests originated from a wide range of sources, including government networks in multiple countries, military networks, Fortune 100 and 500 companies, and even cybersecurity companies. This vulnerability could allow threat actors to deliver malware or backdoors to these organizations, leading to widespread security breaches. AWS has since blocked the specific buckets identified by watchTowr to prevent their re-creation and potential misuse.

Recommended read:
References :
  • The Register - Security: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'
  • : watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • go.theregister.com: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' When cloud customers don't clean up after themselves, part 97 Abandoned AWS S3 buckets could be reused to hijack the global software supply chain in an attack that would make Russia's "SolarWinds adventures look amateurish and insignificant," watchTowr Labs security researchers have claim…
  • www.theregister.com: watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • labs.watchtowr.com: WatchTowr Labs research details 8 million requests against AWS S3 buckets.
  • www.csoonline.com: Code references to nonexistent cloud assets continue to pose significant security risks, and the problem is only growing. Recent research identified approximately 150 AWS S3 storage buckets once used by various software projects to host sensitive scripts, configuration files, software updates, and other binary artifacts that were automatically downloaded and executed on user machines.
  • www.scworld.com: Nearly 150 S3 buckets previously leveraged by cybersecurity firms, governments, Fortune 500 companies, and open source projects could be re-registered with the same AWS account name to facilitate executable and/or code injections in the deployment code/software update mechanism, according to an analysis from watchTowr Labs researchers.
  • www.securityweek.com: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • BleepingComputer: How attackers abuse S3 Bucket Namesquatting — And How to Stop Them
  • SecurityWeek: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • therecord.media: Researchers warn of risks tied to abandoned cloud storage buckets
  • Jon Greig: Researchers at Watchtowr warned of malicious actors taking over abandoned AWS S3 buckets used by governments, militaries, Fortune 500 companies and even some cybersecurity firms
  • darkreading: Researchers from watchTowr discovered around 150 Amazon Web Services S3 buckets that were formerly used by organizations for software deployment and updates but were then abandoned.
@csoonline.com //

whoAMI Attack Exploits AWS AMI Name Confusion - A new "whoAMI" attack exploits name confusion in Amazon Machine Images (AMIs) to achieve remote code execution within Amazon Web Services (AWS) accounts, allowing attackers to publish a malicious AMI with a matching name and gain access.
Cybersecurity researchers have uncovered a new "whoAMI" attack that exploits name confusion in Amazon Machine Images (AMIs) to achieve remote code execution within Amazon Web Services (AWS) accounts. The attack allows anyone publishing an AMI with a specific, crafted name to potentially gain access and execute malicious code. The vulnerability stems from misconfigured software that can be tricked into using a malicious AMI instead of a legitimate one when creating Elastic Compute Cloud (EC2) instances.

Researchers found that the attack vector requires specific conditions to be met when retrieving AMI IDs through the API, including the use of the name filter and a failure to specify the owner. An attacker can create a malicious AMI with a matching name, leading to the creation of an EC2 instance using the attacker's doppelgänger AMI. Amazon addressed the issue following a responsible disclosure in September 2024, introducing new security controls and HashiCorp Terraform implemented warnings to prevent misuse of the API.

Recommended read:
References :
  • Talkback Resources: Cybersecurity researchers disclosed the whoAMI attack, enabling attackers to execute code within AWS accounts by tricking misconfigured software into using a malicious AMI with a specific name, prompting AWS to introduce new security controls and HashiCorp Terraform to implement warnings.
  • The Hacker News: New “whoAMIâ€� Attack Exploits AWS AMI Name Confusion for Remote Code Execution
  • www.bleepingcomputer.com: Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
  • www.csoonline.com: whoAMI name confusion attacks can expose AWS accounts to malicious code execution
  • BleepingComputer: Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
  • aws.amazon.com: AWS blog post on the fix.
  • securitylabs.datadoghq.com: Datadog Security Labs report detailing the whoAMI attack.
  • securityaffairs.com: whoAMI attack could allow remote code execution within AWS account
  • Security Affairs: whoAMI attack could allow remote code execution within AWS account
@www.networkworld.com //

Versa Networks Launches Sovereign SASE Platform - Versa Networks launches sovereign SASE, offering enterprises control over network security within their own environments, challenging the cloud-only model.
Versa Networks has launched its Sovereign SASE platform, presenting a new option for enterprises and service providers seeking greater control over their network security. This solution allows organizations to deploy a SASE platform within their own on-premises or private cloud environments, moving away from the traditional cloud-only security model. Versa's Sovereign SASE is designed to run entirely on customer-controlled infrastructure, offering a "do-it-yourself" model for customized networking and security services.

Increased privacy and control, reduced risk of service disruption, and eased regulatory compliance are key benefits. The platform enables organizations to build and manage their SASE environment on their own infrastructure, ensuring greater autonomy and data protection. By eliminating reliance on third-party SaaS platforms, Versa Sovereign SASE reduces operational risks and costs tied to unplanned outages, strengthening business continuity. The "air-gapped" infrastructure also simplifies meeting strict requirements for regulatory compliance, data residency, and security.

Recommended read:
References :
  • @VMblog: Versa Redefines SASE with Industry-First Sovereign SASE for Enterprises and Service Providers
  • Help Net Security: Versa Sovereign SASE enables organizations to create self-protecting networks
  • www.networkworld.com: Versa Networks launches sovereign SASE, challenging cloud-only security model
  • www.helpnetsecurity.com: Versa releases Versa Sovereign SASE, allowing enterprises, governments, and service providers to deploy customized networking and security services directly from their own infrastructure in a “do-it-yourself†model.
@securityboulevard.com //

Sweet Security LLM Reduces Cloud Detection Noise - Sweet Security launched a new LLM-powered cloud detection engine that reduces cloud detection noise to 0.04%, using AI to filter out false positives, identify threats, and provide clear guidance for security teams.
Sweet Security has launched a new, patent-pending Large Language Model (LLM)-powered cloud detection engine. This groundbreaking technology significantly reduces cloud detection noise to a mere 0.04%. This enhancement to their unified detection and response solution leverages advanced AI to assist security teams in navigating intricate cloud environments with heightened precision and assurance. The new LLM analyzes cloud data in real-time, filtering out false positives with high accuracy allowing teams to focus on genuine threats.

This new engine’s capabilities extend to identifying previously undetectable threats, including zero-day attacks and 'unknown unknowns'. By adapting to nuances of specific cloud environments, the engine can differentiate between unusual, but benign, anomalous activity and actual malicious behavior. Incidents are clearly labeled as either 'malicious,' 'suspicious,' or 'bad practice,' offering clear guidance for security teams, eliminating false positives, and reducing alert fatigue. This also delivers actionable insights, which include heat maps of ‘danger zones’, clear incident labels, and identification of relevant problem owners within the organization.

Recommended read:
References :
  • ciso2ciso.com: News alert: Sweet Security’s LLM-powered detection engine reduces cloud noise to 0.04% – Source: securityboulevard.com
  • gbhackers.com: Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%
  • securityboulevard.com: News alert: Sweet Security’s LLM-powered detection engine reduces cloud noise to 0.04%
  • ciso2ciso.com: News alert: Sweet Security’s LLM-powered detection engine reduces cloud noise to 0.04% – Source: securityboulevard.com
  • gbhackers.com: Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%
  • Security Boulevard: News alert: Sweet Security’s LLM-powered detection engine reduces cloud noise to 0.04%
  • Cyber Security News: Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine
@www.bleepingcomputer.com //

Ransomware Abuses AWS Encryption Features - A new ransomware campaign, dubbed 'Codefinger', exploits Amazon Web Services' Server-Side Encryption to encrypt S3 buckets, demanding ransoms for decryption keys.
A new ransomware campaign is exploiting Amazon Web Services (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt S3 buckets. The attackers, known as "Codefinger," utilize encryption keys unknown to the victims. The hackers demand ransoms in exchange for the decryption keys, effectively holding the data hostage. This attack leverages a legitimate AWS feature, making data recovery incredibly difficult without the attacker's keys. The Codefinger crew was first spotted in December, and at least two AWS native software developers were recently targeted.

The attackers gain access to victims’ cloud storage by using compromised AWS keys with read and write permissions and encrypt files by calling the "x-amz-server-side-encryption-customer-algorithm" header and using a locally stored AES-256 encryption key they generate. AWS processes the key during encryption but does not store it, meaning the victim cannot decrypt their data without the attacker-generated key. Furthermore, the encrypted files are marked for deletion within seven days using the S3 Object Lifecycle Management API, adding pressure on the victims. This tactic represents a significant risk, as it’s the first known instance of ransomware using AWS's native secure encryption infrastructure via SSE-C to lock up victims data.

Recommended read:
References :
  • bsky.app: A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
  • BleepingComputer: A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
  • www.bleepingcomputer.com: A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
  • The Register - Security: Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
  • AAKL: Seems like cybercriminals are getting bolder. Halcyon: Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C More: New ransomware gang dubbed Codefinger abuses AWS native encryption, sets data-destruct timer for 7 days
  • www.halcyon.ai: Ransomware Encrypting S3 Buckets with SSE-C
  • www.theregister.com: ransomware_crew_abuses_compromised_aws
  • osint10x.com: New Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets
  • securityaffairs.com: Codefinger ransomware gang uses compromised AWS keys to encrypt S3 bucket
Aman Mishra@gbhackers.com //

JavaGhost Exploits AWS Permissions for Phishing Campaigns - JavaGhost exploits misconfigured Amazon Web Services (AWS) environments for phishing campaigns, using victims' SES and WorkMail to bypass email protections and evade detection.
A cyber threat group known as JavaGhost has been exploiting misconfigured Amazon Web Services (AWS) Identity and Access Management (IAM) permissions to conduct sophisticated phishing campaigns. Palo Alto Networks Unit 42 is tracking this group, known as TGR-UNK-0011, which overlaps with JavaGhost. Since 2022, JavaGhost pivoted from website defacement to cloud-based phishing attacks, targeting unsuspecting targets for financial gain.

The group exploits leaked long-term AWS access keys to gain initial access, then misuses AWS services like Simple Email Service (SES) and WorkMail to send phishing emails, bypassing typical email protections. They create new SMTP credentials and IAM users, some for active attacks and others for long-term persistence, even leaving the same calling card in the middle of their activities.

JavaGhost's tactics include generating temporary credentials and utilizing advanced evasion techniques to obfuscate their identities in CloudTrail logs, a tactic historically used by Scattered Spider. The attackers create IAM roles with trust policies, allowing access from attacker-controlled AWS accounts, and attempt to enable all AWS regions to potentially evade security controls. These activities leave detectable events in CloudTrail logs, providing opportunities for threat detection and response for vigilant organizations.

Recommended read:
References :
  • The Hacker News: Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail
  • gbhackers.com: JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks
  • Talkback Resources: JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks
  • Talkback Resources: Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail [cloud]
  • Cyber Security News: JavaGhost Exploits Amazon IAM Permissions for Phishing Attacks
@ciso2ciso.com //

Ransomware Groups Exploit Microsoft Office 365 - Two ransomware groups are exploiting Microsoft 365 services and default settings to gain access to internal enterprise users.
Two ransomware groups, identified as STAC5143 and STAC5777, are actively targeting Microsoft Office 365 users by exploiting default settings and using their own Microsoft 365 tenants. These groups are leveraging the platform's features, like Teams, to initiate contact with internal users under the guise of tech support. This tactic is being used to gain access to victim systems. This concerning activity highlights a significant vulnerability in the default configuration of Microsoft 365 and the need for enhanced security measures.

Sophos researchers have detailed the tactics used by both groups. STAC5143 uses Teams’ remote control capabilities and deploys Java-based tools to exploit systems, extracting Python backdoors via SharePoint links. Meanwhile, STAC5777 uses Microsoft Quick Assist and manual configuration changes to install malware, steal credentials, and discover network resources. Both groups share techniques with other known threat actors, like Storm-1811 and FIN7. These attacks often start with spam email bombing, sometimes sending 3,000 emails in an hour, followed by Teams calls requesting screen control for malicious purposes, highlighting a multi-pronged social engineering approach.

Recommended read:
References :
  • ciso2ciso.com: Sophos MDR tracks two ransomware campaigns using "email bombing," Microsoft Teams "vishing."
  • ciso2ciso.com: Two ransomware groups abusing Microsoft's Office 365 platform
  • ciso2ciso.com: Details about the attacks and the tactics being used.
  • securityonline.info: STAC5143 and STAC5777: New Ransomware Campaigns Target Microsoft Office 365 Users
  • ciso2ciso.com: Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations
  • securityaffairs.com: Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations
  • securityonline.info: STAC5143 and STAC5777: New Ransomware Campaigns Target Microsoft Office 365 Users
@www.bleepingcomputer.com //

Otelier Data Breach Exposes Millions of Hotel Guests - Otelier, a hotel management platform, suffered a major data breach after its Amazon S3 cloud storage was compromised, exposing millions of guests' personal information and hotel reservations.
Hotel management platform Otelier has suffered a significant data breach, compromising the personal information and hotel reservations of millions of guests. The breach occurred after threat actors gained access to Otelier's Amazon S3 cloud storage. This allowed them to steal a large amount of sensitive data, reportedly close to eight terabytes. The affected hotel brands include major names like Marriott, Hilton, and Hyatt, raising concerns about widespread impact.

The stolen data includes personally identifiable information and reservation details, which could potentially expose guests to identity theft and various types of fraud. Otelier has confirmed the data breach and stated that they are communicating with their impacted customers. The initial breach is said to have started in July 2024 and continued through October of the same year. This extended access allowed the attackers to exfiltrate the substantial amount of data that they are now believed to have.

Recommended read:
References :
@www.helpnetsecurity.com //

Palo Alto Networks Unifies Cloud Security with Cortex Cloud - Palo Alto Networks has introduced Cortex Cloud, integrating its cloud detection and response (CDR) and cloud-native application protection platform (CNAPP) capabilities onto the unified Cortex platform using AI and automation to provide real-time cloud security.
Palo Alto Networks has unveiled Cortex Cloud, a unified platform integrating its cloud detection and response (CDR) and cloud-native application protection platform (CNAPP) capabilities. Cortex Cloud merges Prisma Cloud with Cortex CDR to deliver real-time cloud security, addressing the growing risks in cloud environments. The platform uses AI-driven insights to reduce risks and prevent threats, providing continuous protection from code to cloud to SOC.

Cortex Cloud aims to solve the disconnect between cloud and enterprise security teams, which often operate in silos. With Cortex Cloud, security teams gain a context-driven defense that delivers real-time cloud security. Palo Alto Networks will include CNAPP at no additional cost for every Cortex Cloud Runtime Security customer.

Recommended read:
References :
  • www.helpnetsecurity.com: Palo Alto Networks Cortex Cloud applies AI-driven insights to reduce risk and prevent threats
  • www.paloaltonetworks.com: Introducing Cortex Cloud — The Future of Real-Time Cloud Security
  • www.prnewswire.com: "we're including CNAPP at no additional cost for every Cortex Cloud Runtime Security customer."
  • securityboulevard.com: Palo Alto Networks today launched its Cortex Cloud platform to integrate the company’s cloud-native application protection platform (CNAPP) known as Prisma Cloud into a platform that provides a wider range of cloud security capabilities.

Posts

Blogs

Research Tools