Apr 16, 2024NewsroomCloud Security / DevSecOps

New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations.

The vulnerability has been codenamed LeakyCLI by cloud security firm Orca.

“Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions,” security researcher Roi Nisimi said in a report shared with The Hacker News.

Microsoft has since addressed the issue as part of security updates released in November 2023, assigned it the CVE identifier CVE-2023-36052 (CVSS score: 8.6).

The idea, in a nutshell, has to do with how the CLI commands such as could be used to show (pre-)defined environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. A list of such commands spanning AWS and Google Cloud is below 0

• aws lambda get-function-configuration
• aws lambda get-function
• aws lambda update-function-configuration
• aws lambda update-function-code
• aws lambda publish-version
• gcloud functions deploy <func> –set-env-vars
• gcloud functions deploy <func> –update-env-vars
• gcloud functions deploy <func> –remove-env-vars

Orca said it found several projects on GitHub that inadvertently leaked access tokens and other sensitive data via Github Actions, CircleCI, TravisCI, and Cloud Build logs.

Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager.

Google also recommends the use of the “–no-user-output-enabled” option to suppress the printing of command output to standard output and standard error in the terminal.

“If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can,” Nisimi said.

“CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat.”

Mar 22, 2024NewsroomAmazon Web Services / Vulnerability

Cybersecurity researchers have shared details of a now-patched security vulnerability in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) that could be potentially exploited by a malicious actor to hijack victims’ sessions and achieve remote code execution on underlying instances.

The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.

“Upon taking over the victim’s account, the attacker could have performed tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS),” senior security researcher Liv Matan said in a technical analysis.

“Under certain circumstances such actions can result in RCE on the instance that underlies the MWAA, and in lateral movement to other services.”

The root cause of the vulnerability, per the cybersecurity firm, is a combination of session fixation on the web management panel of AWS MWAA and an AWS domain misconfiguration that results in a cross-site scripting (XSS) attack.

Session fixation is a web attack technique that occurs when a user is authenticated to a service without invalidating any existing session identifiers. This permits the adversary to force (aka fixate) a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.

By abusing the shortcoming, a threat actor could have forced victims to use and authenticate the attacker’s known session and ultimately take over the victim’s web management panel.

“FlowFixation highlights a broader issue with the current state of cloud providers’ domain architecture and management as it relates to the Public Suffix List (PSL) and shared-parent domains: same-site attacks,” Matan said, adding the misconfiguration also impacts Microsoft Azure and Google Cloud.

Tenable also pointed out that the shared architecture – where several customers have the same parent domain – could be a goldmine for attackers looking to exploit vulnerabilities like same-site attacks, cross-origin issues, and cookie tossing, effectively leading to unauthorized access, data leaks, and code execution.

The shortcoming has been addressed by both AWS and Azure adding the misconfigured domains to PSL, thus causing web browsers to recognize the added domains as a public suffix. Google Cloud, on the other hand, has described the issue as not “severe enough” to merit a fix.

“In the case of same-site attacks, the security impact of the mentioned domain architecture is significant, with heightened risk of such attacks in cloud environments,” Matan explained.

“Among these, cookie-tossing attacks and same-site attribute cookie protection bypass are particularly concerning as both can circumvent CSRF protection. Cookie-tossing attacks can also abuse session-fixation issues.”

Mar 13, 2024NewsroomPhishing Attack / Threat Intelligence

A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader.

“The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware,” Fortinet FortiGuard Labs researcher Yurren Wan said.

An unusual aspect of the campaign is VCURMS’ use of a Proton Mail email address (“sacriliage@proton[.]me”) for communicating with a command-and-control (C2) server.

The attack chain commences with a phishing email that urges recipients to click on a button to verify payment information, resulting in the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS.

Executing the JAR file leads to the retrieval of two more JAR files, which are then run separately to launch the twin trojans.

Besides sending an email with the message “Hey master, I am online” to the actor-controlled address, VCURMS RAT periodically checks the mailbox for emails with specific subject lines to extract the command to be executed from the body of the missive.

This includes running arbitrary commands using cmd.exe, gathering system information, searching and uploading files of interest, and downloading additional information stealer and keylogger modules from the same AWS endpoint.

The information stealer comes fitted with capabilities to siphon sensitive data from apps like Discord and Steam, credentials, cookies, and auto-fill data from various web browsers, screenshots, and extensive hardware and network information about the compromised hosts.

VCURMS is said to share similarities with another Java-based infostealer codenamed Rude Stealer, which emerged in the wild late last year. STRRAT, on the other hand, has been detected in the wild since at least 2020, often propagated in the form of fraudulent JAR files.

“STRRAT is a RAT built using Java, which has a wide range of capabilities, such as serving as a keylogger and extracting credentials from browsers and applications,” Wan noted.

The disclosure comes as Darktrace revealed a novel phishing campaign that’s taking advantage of automated emails sent from the Dropbox cloud storage service via “no-reply@dropbox[.]com” to propagate a bogus link mimicking the Microsoft 365 login page.

“The email itself contained a link that would lead a user to a PDF file hosted on Dropbox, that was seemingly named after a partner of the organization,” the company said. “the PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, ‘mmv-security[.]top.'”

Feb 16, 2024NewsroomCyber Threat / Cloud Security

A malicious Python script known as SNS Sender is being advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service (SNS).

The SMS phishing messages are designed to propagate malicious links that are designed to capture victims’ personally identifiable information (PII) and payment card details, SentinelOne said in a new report, attributing it to a threat actor named ARDUINO_DAS.

“The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery,” security researcher Alex Delamotte said.

SNS Sender is also the first tool observed in the wild that leverages AWS SNS to conduct SMS spamming attacks. SentinelOne said that it identified links between ARDUINO_DAS and more than 150 phishing kits offered for sale.

The malware requires a list of phishing links stored in a file named links.txt in its working directory, in addition to a list of AWS access keys, the phone numbers to target, the sender ID (aka display name), and the content of the message.

The mandatory inclusion of sender ID for sending the scam texts is noteworthy because support for sender IDs varies from country to country. This suggests that the author of SNS Sender is likely from a country where the sender ID is a conventional practice.

“For example, carriers in the United States don’t support sender IDs at all, but carriers in India require senders to use sender IDs,” Amazon says in its documentation.

There is evidence to suggest that this operation may have been active since at least July 2022, going by bank logs containing references to ARDUINO_DAS that have been shared on carding forums like Crax Pro.

A vast majority of the phishing kits are USPS-themed, with the campaigns directing users to bogus package tracking pages that prompt users to enter their personal and credit/debit card information, as evidenced by security researcher @JCyberSec_ on X (formerly Twitter) in early September 2022.

“Do you think the deploying actor knows all the kits have a hidden backdoor sending the logs to another place?,” the researcher further noted.

If anything, the development represents commodity threat actors’ ongoing attempts to exploit cloud environments for smishing campaigns. In April 2023, Permiso revealed an activity cluster that took advantage of previously exposed AWS access keys to infiltrate AWS servers and send SMS messages using SNS.

The findings also follow the discovery of a new dropper codenamed TicTacToe that’s likely sold as a service to threat actors and has been observed being used to propagate a wide variety of information stealers and remote access trojans (RATs) targeting Windows users throughout 2023.

Fortinet FortiGuard Labs, which shed light on the malware, said it’s deployed by means of a four-stage infection chain that starts with an ISO file embedded within email messages.

Another relevant example of threat actors continuously innovating their tactics concerns the use of advertising networks to stage effective spam campaigns and deploy malware such as DarkGate.

“The threat actor proxied links through an advertising network to evade detection and capture analytics about their victims,” HP Wolf Security said. “The campaigns were initiated through malicious PDF attachments posing as OneDrive error messages, leading to the malware.”

The infosec arm of the PC maker also highlighted the misuse of legitimate platforms like Discord to stage and distribute malware, a trend that has become increasingly common in recent years, prompting the company to switch to temporary file links by the end of last year.

“Discord is known for its robust and reliable infrastructure, and it is widely trusted,” Intel 471 said. “Organizations often allowlist Discord, meaning that links and connections to it are not restricted. This makes its popularity among threat actors unsurprising given its reputation and widespread use.”

Jan 17, 2024NewsroomBotnet / Cloud Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that threat actors deploying the AndroxGh0st malware are creating a botnet for “victim identification and exploitation in target networks.”

A Python-based malware, AndroxGh0st was first documented by Lacework in December 2022, with the malware inspiring several similar tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator.

The cloud attack tool is capable of infiltrating servers vulnerable to known security flaws to access Laravel environment files and steal credentials for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio.

Some of the notable flaws weaponized by the attackers include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework).

“AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of web shells,” Lacework said. “For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute-force attacks.”

These features make AndroxGh0st a potent threat that can be used to download additional payloads and retain persistent access to compromised systems.

The development arrives less than a week after SentinelOne revealed a related-but-distinct tool called FBot that is being employed by attackers to breach web servers, cloud services, content management systems (CMS), and SaaS platforms.

It also follows an alert from NETSCOUT about a significant spike in botnet scanning activity since mid-November 2023, touching a peak of nearly 1.3 million distinct devices on January 5, 2024. A majority of the source IP addresses are associated with the U.S., China, Vietnam, Taiwan, and Russia.

“Analysis of the activity has uncovered a rise in the use of cheap or free cloud and hosting servers that attackers are using to create botnet launch pads,” the company said. “These servers are used via trials, free accounts, or low-cost accounts, which provide anonymity and minimal overhead to maintain.”