Apr 15, 2024NewsroomCloud Security /SaaS Security

The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data.

“Organizations often store a variety of data in SaaS applications and use services from CSPs,” Palo Alto Networks Unit 42 said in a report published last week.

“The threat actors have begun attempting to leverage some of this data to assist with their attack progression, and to use for extortion when trying to monetize their work.”

Muddled Libra, also called Starfraud, UNC3944, Scatter Swine, and Scattered Spider, is a notorious cybercriminal group that has leveraged sophisticated social engineering techniques to gain initial access to target networks.

“Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs,” the U.S. government said in an advisory late last year.

The attackers also have a history of monetizing access to victim networks in numerous ways, including extortion enabled by ransomware and data theft.

Unit 42 previously told The Hacker News that the moniker “Muddled Libra” comes from the “confusing muddled landscape” associated with the 0ktapus phishing kit, which has been put to use by other threat actors to stage credential harvesting attacks.

A key aspect of the threat actor’s tactical evolution is the use of reconnaissance techniques to identify administrative users to target when posing as helpdesk staff using phone calls to obtain their passwords.

The recon phase also extends to Muddled Libra, which performs extensive research to find information about the applications and the cloud service providers used by the target organizations.

“The Okta cross-tenant impersonation attacks that occurred from late July to early August 2023, where Muddled Libra bypassed IAM restrictions, display how the group exploits Okta to access SaaS applications and an organization’s various CSP environments,” security researcher Margaret Zimmermann explained.

The information obtained at this stage serves as a stepping stone for conducting lateral movement, abusing the admin credentials to access single sign-on (SSO) portals to gain quick access to SaaS applications and cloud infrastructure.

In the event SSO is not integrated into a target’s CSP, Muddled Libra undertakes broad discovery activities to uncover the CSP credentials, likely stored in unsecured locations, to meet their objectives.

The data stored with SaaS applications are also used to glean specifics about the infected environment, capturing as many credentials as possible to widen the scope of the breach via privilege escalation and lateral movement.

“A large portion of Muddled Libra’s campaigns involve gathering intelligence and data,” Zimmermann said.

“Attackers then use this to generate new vectors for lateral movement within an environment. Organizations store a variety of data within their unique CSP environments, thus making these centralized locations a prime target for Muddled Libra.”

These actions specifically single out Amazon Web Services (AWS) and Microsoft Azure, targeting services like AWS IAM, Amazon Simple Storage Service (S3), AWS Secrets Manager, Azure storage account access keys, Azure Blob Storage, and Azure Files to extract relevant data.

Data exfiltration to an external entity is achieved by abusing legitimate CSP services and features. This encompasses tools like AWS DataSync, AWS Transfer, and a technique called snapshot, the latter of which makes it possible to move data out of an Azure environment by staging the stolen data in a virtual machine.

Muddled Libra’s tactical shift requires organizations to secure their identity portals with robust secondary authentication protections like hardware tokens or biometrics.

“By expanding their tactics to include SaaS applications and cloud environments, the evolution of Muddled Libra’s methodology shows the multidimensionality of cyberattacks in the modern threat landscape,” Zimmermann concluded. “The use of cloud environments to gather large amounts of information and quickly exfiltrate it poses new challenges to defenders.”

Apr 09, 2024The Hacker NewsPrivileged Access Management

As cyber threats loom around every corner and privileged accounts become prime targets, the significance of implementing a robust Privileged Access Management (PAM) solution can’t be overstated. With organizations increasingly migrating to cloud environments, the PAM Solution Market is experiencing a transformative shift toward cloud-based offerings. One Identity PAM Essentials stands out among these as a SaaS-based PAM solution that prioritizes security, manageability, and compliance.

Security-first, user-centric design

PAM Essentials boasts a user-centric and security-first design – not only prioritizing the protection of critical assets, but also ensuring a seamless user experience. By providing privileged sessions and access controls, PAM Essentials mitigates the heightened risks associated with unauthorized users, safeguarding critical data against potential breaches. Designed for ease of use, it ensures that robust security does not come at the expense of usability.

Simplified PAM approach with full visibility

One of the standout features of PAM Essentials is its simplified PAM approach, coupled with full visibility. Unlike traditional on-premises PAM solutions, PAM Essentials eliminates unnecessary complexities and the need for additional infrastructure investments. This streamlined approach not only reduces operational overhead but also provides organizations with comprehensive visibility into privileged access activities, facilitating proactive threat detection and mitigation.

Cost-effective and compliant

In today’s regulatory landscape, compliance is non-negotiable. PAM Essentials aids organizations in meeting compliance and industry-specific standards, ensuring adherence to regulatory requirements and enabling them to fulfill cyber insurance requirements. Its cost-effectiveness creates significant savings for businesses, eliminating the need for costly infrastructure and resource allocations associated with traditional PAM solutions.

Cloud-native architecture for scalability and flexibility

Built on a cloud-native architecture, PAM Essentials offers unparalleled scalability, flexibility and accessibility. This ensures seamless integration with cloud services, allowing organizations to adapt and scale their privileged identity management strategies in response to evolving business needs. PAM Essentials also provides a seamless experience for remote teams, enabling secure access to critical systems and resources from anywhere at any time.

Native integration and seamless experience

PAM Essential’s native integration with OneLogin access management solutions enhances its capabilities. By leveraging OneLogin’s robust identity and access management platform, PAM Essentials delivers a seamless privileged access management experience. This integration not only enhances security but also streamlines administrative tasks, improving overall operational efficiency.

Conclusion

As organizations navigate the complexities of modern cybersecurity threats and the constantly evolving digital landscape, the importance of effective Privileged Access Management cannot be overstated. PAM Essentials represents a shift in PAM tools, offering a comprehensive, cloud-native approach to security, manageability and compliance. With its user-centric design, simplified approach and seamless integration capabilities, PAM Essentials is set to redefine the future of Privileged Access Management, empowering organizations to safeguard their most critical assets.

Cloud solutions are more mainstream – and therefore more exposed – than ever before.

In 2023 alone, a staggering 82% of data breaches were against public, private, or hybrid cloud environments. What’s more, nearly 40% of breaches spanned multiple cloud environments. The average cost of a cloud breach was above the overall average, at $4.75 million. In a time where cloud has become the de facto standard – with 65% of IT decision-makers confirming that cloud-based services are their first choice when upgrading or purchasing new solutions – despite its overwhelming prominence, cloud security still faces multiple challenges.

Security Challenges in the Cloud

One major hurdle is the lack of visibility. Unlike physical servers you can see and touch, cloud resources are often spread across vast networks, making it difficult to monitor for suspicious activity and leaving vulnerabilities undetected. Another challenge is the inconsistency across cloud vendor permission management systems. Different providers have different controls for who can access and modify data. This inconsistency creates complexity and increases the risk of accidental misconfigurations, which are a leading cause of breaches.

Moreover, with multiple teams involved in cloud deployments – development, operations, security – clear ownership and accountability for cloud security can be blurred. This lack of coordination can lead to situations where security best practices are overlooked or bypassed. Additionally, many attacks move across the cloud to on-prem environments and vice versa, which can put both environments at risk.

All these challenges highlight the urgent need for robust cloud security solutions that provide comprehensive visibility, standardized permission management, and clear lines of responsibility. Yet security resources are stretched thin even in the best-provisioned teams – and cloud security teams are expected to investigate and remediate thousands of exposures that may not all have the same impact on critical resources. This leads to uncertainty around what to fix first and how to actually address all the identified exposures, leaving cloud environments exposed to cyberattacks.

Continuous Exposure Management is Essential

Instead of chasing countless vulnerabilities, security teams need to prioritize the most critical ones. This means being able to quickly identify the most dangerous attack paths and take preemptive action against advanced attack methods in the cloud.

By focusing on high-risk areas, cloud security teams can build targeted remediation plans that prevent major attacks, streamline workflows, and accurately report on real threats across multiple cloud environments. The key to achieving this is Continuous Threat Exposure Management (CTEM), a proactive and continuous five-stage program or framework that reduces exposure to cyberattacks. First introduced by Gartner in 2022, CTEM has proven essential for preventing high-impact attacks, improving remediation efficiency, and reporting true risk.

CTEM was introduced to solve the problem of endless lists of exposures, and more specifically vulnerabilities, across on-prem environments. Not being able to highlight and fix the exposures that are most critical leaves security teams fixing CVEs that may or may not be exploitable or impactful in their specific environment. In multi-cloud environments, the lists of vulnerabilities may be shorter, but together with misconfigurations and highly privileged access, they add up to a long list of exposures that attackers can use to breach the multi-cloud environment and that security teams must address. The only way to block attacks is by identifying and fixing the exposures with the highest impact on your business. That requires adopting the CTEM framework in the cloud environment.

Fix What Matters Across Multi-Cloud

To help cloud security teams fix what matters and block high-impact attacks in multi-cloud environments, a comprehensive CTEM program will highlight the most impactful entities that can compromise cloud resources. These solutions identify the cloud resources that can be compromised and discover all the exposures that attackers can use to compromise them. Mapping the attack paths that attackers could exploit helps prioritize and validate the most impactful exposures that are exploitable in the multi-cloud environment in order to address them first.

For example, taking the attacker’s perspective allows identifying top choke points. Choke points are critical weaknesses in your cloud defenses, where multiple attack paths converge on a single exposure. They can be easily breached by attackers who can then access a vast network of resources – databases, computers, identity controls, and more. By prioritizing these high-impact areas, security teams focus on the most attractive targets for attackers, maximizing the return on their security efforts. Common choke points include internet-facing systems and unused access accounts. Addressing them significantly reduces the attack surface, effectively fortifying your entire cloud environment.

Example of Cloud Choke Point showing inbound and outbound attack paths

Another example of a high-impact exposure stems from pre-defined highly-privileged access. Highly privileged accounts, like pre-defined admins, are considered “game-over” assets. If compromised, attackers can wreak havoc. Having a comprehensive approach to CTEM helps by identifying these accounts and uncovering weaknesses that could leave them vulnerable. This includes spotting admin access without multi-factor authentication (MFA) or unused service accounts – essentially; weaknesses attackers would love to exploit.

To ensure critical exposures are addressed, advanced exposure management solutions provide remediation guidance and alternatives. More often than not highly privileged accounts or internet-facing resources cannot be restricted, but analyzing the attack path that leads to them makes it possible to find a fix that lowers their exploitability and hence their level of risk.

Stopping Hybrid Environment Attacks

Attackers are not limited by hybrid environments, and defenders must ensure they too are not limited. Solutions that analyze hybrid attack paths, across on-prem and multi-cloud environments allow security teams to stay one step ahead of attacks – understanding exactly where they are exposed to cyber threats. These tools provide complete details around potential breach points, attack techniques, permissions usage, and remediation alternatives to help customers address these exposures and block the most critical attack paths.

Example hybrid attack path across MS Active Directory and AWS

Summary

While traditional cloud security struggles against the volume of ever-present exposures, CTEM offers an actionable remediation plan by focusing on the most critical ones in a specific environment. The right approach to CTEM reaches across on-prem and multi cloud, encompassing your entire IT landscape. This holistic approach eliminates blind spots and empowers organizations to transition from reactive to proactive defense. By embracing CTEM, organizations can ensure their success in the cloud-based future.

Note: This expertly contributed article is written by Zur Ulianitzky, VP Security Research at XM Cyber.

Mar 21, 2024NewsroomThreat Intelligence / Vulnerability

Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st that’s used to target Laravel applications and steal sensitive data.

“It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio,” Juniper Threat Labs researcher Kashinath T Pattan said.

“Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell deployment, and vulnerability scanning.”

AndroxGh0st has been detected in the wild since at least 2022, with threat actors leveraging it to access Laravel environment files and steal credentials for various cloud-based applications like Amazon Web Services (AWS), SendGrid, and Twilio.

Attack chains involving the Python malware are known to exploit known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access and for privilege escalation and persistence.

Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for “victim identification and exploitation in target networks.”

“Androxgh0st first gains entry through a weakness in Apache, identified as CVE-2021-41773, allowing it to access vulnerable systems,” Pattan explained.

“Following this, it exploits additional vulnerabilities, specifically CVE-2017-9841 and CVE-2018-15133, to execute code and establish persistent control, essentially taking over the targeted systems.”

Androxgh0st is designed to exfiltrate sensitive data from various sources, including .env files, databases, and cloud credentials. This allows threat actors to deliver additional payloads to compromised systems.

Juniper Threat Labs said it has observed an uptick in activity related to the exploitation of CVE-2017-9841, making it essential that users move quickly to update their instances to the latest version.

A majority of the attack attempts targeting its honeypot infrastructure originated from the U.S., U.K., China, the Netherlands, Germany, Bulgaria, Kuwait, Russia, Estonia, and India, it added.

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that vulnerable WebLogic servers located in South Korea are being targeted by adversaries and used them as download servers to distribute a cryptocurrency miner called z0Miner and other tools like fast reverse proxy (FRP).

It also follows the discovery of a malicious campaign that infiltrates AWS instances to create over 6,000 EC2 instances within minutes and deploy a binary associated with a decentralized content delivery network (CDN) known as Meson Network.

The Singapore-based company, which aims to create the “world’s largest bandwidth marketplace,” works by allowing users to exchange their idle bandwidth and storage resources with Meson for tokens (i.e., rewards).

“This means miners will receive Meson tokens as a reward for providing servers to the Meson Network platform, and the reward will be calculated based on the amount of bandwidth and storage brought into the network,” Sysdig said in a technical report published this month.

“It isn’t all about mining cryptocurrency anymore. Services like Meson network want to leverage hard drive space and network bandwidth instead of CPU. While Meson may be a legitimate service, this shows that attackers are always on the lookout for new ways to make money.”

With cloud environments increasingly becoming a lucrative target for threat actors, it is critical to keep software up to date and monitor for suspicious activity.

Threat intelligence firm Permiso has also released a tool called CloudGrappler, that’s built on top of the foundations of cloudgrep and scans AWS and Azure for flagging malicious events related to well-known threat actors.

Mar 11, 2024The Hacker NewsCybersecurity / Browser Security

As the shift of IT infrastructure to cloud-based solutions celebrates its 10-year anniversary, it becomes clear that traditional on-premises approaches to data security are becoming obsolete. Rather than protecting the endpoint, DLP solutions need to refocus their efforts to where corporate data resides – in the browser.

A new guide by LayerX titled “On-Prem is Dead. Have You Adjusted Your Web DLP Plan?” (download here) dives into this transition, detailing its root cause, possible solution paths forward and actionable implementation examples. After reading the guide, security and IT professionals will be equipped with the relevant information they need to update and upgrade their DLP solutions.

Guide highlights include:

Why DLP

The guide commences with an explanation of the role of the DLP. DLPs protect data from unwanted exposure by classification, determining its sensitivity level, and enforcing protective action. This is supposed to allow organizations to detect and prevent data breaches and other malicious activities and meet compliance regulations.

What Has Changed for DLP and Corporate Data

However, DLPs were designed with on-prem environments in mind. In these scenarios, data that leaves the environment is usually attached to an email or a hardware device. Therefore, DLPs were traditionally placed on the gateway between the corporate network and the public Internet. The rise of SaaS apps and website use requires an approach that addresses corporate data in its new location: online.

3 Data Protection Paths Forward

To address this gap, there are three ways security and IT teams can operate.

1. No Change – Using DLPs solutions as they are while limiting data uploads to insecure online locations. As explained, this solution is partially effective.

2. CASB DLP – Inspecting files with SaaS apps and enforcing policies between apps and devices and apps. This solution is effective for some sanctioned apps, but not for all or for unsanctioned ones.

3. Browser DLP – Monitoring data activity at the transaction point. This solution enforces policies across all vectors – devices, apps and the browser.

Since the browser is the interface between the device and websites and SaaS apps, it is the optimal location for placing the DLP. An enterprise browser extension can operate as a browser DLP, thanks to its ability to deeply monitor user activities and the web page execution. It can also enforce actions like alerting and blocking dangerous user actions.

Example Browser DLP Policies

Here are some examples of DLP policies that are designed to answer data location in a cloud environments:

• Alert about confidential files being attached to email web apps.
• Blocking confidential file uploads to personal Google Drives.
• Blocking confidential file downloads to unmanaged devices.

This guide is an essential read for any organization dealing with data that is online. You can read it here.

Feb 27, 2024NewsroomCloud Security / Threat Intelligence

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29.

The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation.

Previously attributed to the supply chain compromise of SolarWinds software, the cyber espionage group attracted attention in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE), and other organizations with an aim to further their strategic objectives.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” according to the security bulletin.

These include –

• Obtaining access to cloud infrastructure via service and dormant accounts by means of brute-force and password spraying attacks, pivoting away from exploiting software vulnerabilities in on-premise networks

• Using tokens to access victims’ accounts without the need for a password

• Leveraging password spraying and credential reuse techniques to seize control of personal accounts, use prompt bombing to bypass multi-factor authentication (MFA) requirements, and then registering their own device to gain access to the network

• Making it harder to distinguish malicious connections from typical users by utilizing residential proxies to make the malicious traffic appear as if it’s originating from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and conceal their true origins

“For organizations that have moved to cloud infrastructure, the first line of defense against an actor such as SVR should be to protect against SVR’ TTPs for initial access,” the agencies said. “Once the SVR gains initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb.”

Cybersecurity researchers are warning about a spike in email phishing campaigns that are weaponizing the Google Cloud Run service to deliver various banking trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban (aka Javali) to targets across Latin America (LATAM) and Europe.

“The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s),” Cisco Talos researchers disclosed last week.

The high-volume malware distribution campaigns, observed since September 2023, have employed the same storage bucket within Google Cloud for propagation, suggesting potential links between the threat actors behind the distribution campaigns.

Google Cloud Run is a managed compute platform that enables users to run frontend and backend services, batch jobs, deploy websites and applications, and queue processing workloads without having to manage or scale the infrastructure.

“Adversaries may view Google Cloud Run as an inexpensive, yet effective way to deploy distribution infrastructure on platforms that most organizations likely do not prevent internal systems from accessing,” the researchers said.

A majority of the systems used to send phishing messages originate from Brazil, followed by the U.S., Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain, and Bangladesh. The emails bear themes related to invoices or financial and tax documents, in some cases purporting to be from local government tax agencies.

Embedded within these messages are links to a website hosted on run[.]app, resulting in the delivery of a ZIP archive containing a malicious MSI file either directly or via 302 redirects to a Google Cloud Storage location, where the installer is stored.

The threat actors have also been observed attempting to evade detection using geofencing tricks by redirecting visitors to these URLs to a legitimate site like Google when accessing them with a U.S. IP address.

Besides leveraging the same infrastructure to deliver both Mekotio and Astaroth, the infection chain associated with the latter acts as a conduit to distribute Ousaban.

Astaroth, Mekotio, and Ousaban are all designed to single out financial institutions, keeping tabs on users’ web browsing activity as well as logging keystrokes and taking screenshots should one of the target bank websites be open.

Ousaban has a history of weaponizing cloud services to its advantage, having previously employed Amazon S3 and Microsoft Azure to download second-stage payloads, and Google Docs to retrieve command-and-control (C2) configuration.

The development comes amid phishing campaigns propagating malware families such as DCRat, Remcos RAT, and DarkVNC that are capable of harvesting sensitive data and taking control of compromised hosts.

It also follows an uptick in threat actors deploying QR codes in phishing and email-based attacks (aka quishing) to trick potential victims into installing malware on their mobile devices.

“In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user’s login credentials when entered,” Talos said.

“QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.”

Phishing campaigns have also set their eyes on the oil and gas sector to deploy an information stealer called Rhadamanthys, which has currently reached version 0.6.0, highlighting a steady stream of patches and updates by its developers.

“The campaign starts with a phishing email using a vehicle incident report to lure victims into interacting with an embedded link that abuses an open redirect on a legitimate domain, primarily Google Maps or Google Images,” Cofense said.

Users who click on the link are then redirected to a website hosting a bogus PDF file, which, in reality, is a clickable image that contacts a GitHub repository and downloads a ZIP archive containing the stealer executable.

“Once a victim attempts to interact with the executable, the malware will unpack and start a connection with a command-and-control (C2) location that collects any stolen credentials, cryptocurrency wallets, or other sensitive information,” the company added.

Other campaigns have abused email marketing tools like Twilio’s SendGrid to obtain client mailing lists and take advantage of stolen credentials to send out convincing-looking phishing emails, per Kaspersky.

“What makes this campaign particularly insidious is that the phishing emails bypass traditional security measures,” the Russian cybersecurity company noted. “Since they are sent through a legitimate service and contain no obvious signs of phishing, they may evade detection by automatic filters.”

These phishing activities are further fueled by the easy availability of phishing kits such as Greatness and Tycoon, which have become a cost-effective and scalable means for aspiring cyber criminals to mount malicious campaigns.

“Tycoon Group [phishing-as-a-service] is sold and marketed on Telegram for as low as $120,” Trustwave SpiderLabs researcher Rodel Mendrez said last week, noting the service first came into being around August 2023.

“Its key selling features include the ability to bypass Microsoft two-factor authentication, achieve ‘link speed at the highest level,’ and leveraging Cloudflare to evade antibot measures, ensuring the persistence of undetected phishing links.”

Feb 02, 2024The Hacker NewsThreat Intelligence / Cloud Security

Cloudzy, a prominent cloud infrastructure provider, proudly announces a significant enhancement in its cybersecurity landscape. This breakthrough has been achieved through a recent consultation with Recorded Future, a leader in providing real-time threat intelligence and cybersecurity analytics. This initiative, coupled with an overhaul of Cloudzy’s cybersecurity strategies, represents a major leap forward in our commitment to digital safety and infrastructure integrity.

Key Enhancements in Cybersecurity

Comprehensive Threat Intelligence from Recorded Future

Recorded Future provides critical security reports, spotlighting potential security breaches and malicious activities. This sophisticated intelligence, allows us to act promptly against threats like Ransomware, APT(Advanced Persistent Threats), C2 (Command and Control) servers, malware, and more Upon thorough evaluation of these reports and confirmation that the implicated accounts are indeed conducting illegal activities and are not victims, Cloudzy systematically bans these accounts. Furthermore, our system is designed to recognize and suspend any attempts by these entities to access our platform using fake identities, to better ensure a secure and trustworthy environment.

Refined Operations of CloudzPatrol, Our Advanced Threat Detection System

CloudzPatrol, a key component of Cloudzy’s security framework, has been significantly upgraded to enhance its threat detection and response capabilities. This system is intricately engineered to identify suspicious patterns within our infrastructure. Crucially, the improvement of CloudzPatrol is informed and enriched by comprehensive security reports received from Recorded Future and other cyber-security providers. By analyzing these reports, CloudzPatrol continuously refines its processes, enabling us to proactively target and mitigate risks posed by malicious accounts and machines.

Commitment to Ethical Enforcement

In enforcing our security measures, we consistently update our acceptable use policy to ensure our actions align with legal standards and prioritize user security. Our approach is meticulously ethical, safeguarding individual privacy while maintaining strict security standards.

Maintaining a Secure and Resilient Platform

These advancements mark Cloudzy’s unwavering dedication to maintaining a secure, resilient platform for our clients. Hannan Nozari, CEO of Cloudzy, emphasizes, “Our implementation of Recorded Future is a game changer in our relentless pursuit of cybersecurity excellence. We are now more equipped than ever to defend against cyber threats and maintain the integrity of our services. We encourage collaboration and partnership with organizations and individuals sharing similar cybersecurity concerns, as cybersecurity requires collective vigilance and effort.”

As an agile and user-focused IaaS provider, Cloudzy is uniquely positioned in the cloud infrastructure market. Our recent advancements in cybersecurity, exemplified by CloudzPatrol and our strategic collaborations, reinforce our commitment to delivering a secure, innovative, and personalized cloud experience, especially in a domain dominated by larger corporations.

For further information, please contact: pr@cloudzy.com

About Cloudzy

Cloudzy stands as a dynamic and user-centric cloud infrastructure provider, delivering secure and innovative solutions on a global scale. Our approach is deeply rooted in a commitment to user safety and data integrity. As a responsive and adaptable player in the industry, we continuously refine our cybersecurity strategies. This includes forging strategic collaborations with cybersecurity experts like Recorded Future, ensuring our users benefit from the highest standards of digital protection. At Cloudzy, we’re not just about technology; we’re about building a safer and more personal cloud experience for each of our users.

Jan 13, 2024NewsroomCryptojacking / Cloud Security

A 29-year-old Ukrainian national has been arrested in connection with running a “sophisticated cryptojacking scheme,” netting them over $2 million (€1.8 million) in illicit profits.

The person was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following “months of intensive collaboration.”

“A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs,” Europol said, adding it shared the intelligence with the Ukrainian authorities.

As part of the probe, three properties were searched to unearth evidence against the suspect.

Cryptojacking refers to a type of cyber crime that entails the unauthorized use of a person’s or organization’s computing resources to mine cryptocurrencies.

On the cloud, such attacks are typically carried out by infiltrating the infrastructure via compromised credentials obtained through other means and installing miners that use the infected host’s processing power to mine crypto without their knowledge or consent.

“If the credentials do not have the threat actors’ desired permissions, privilege escalation techniques are used to obtain additional permissions,” Microsoft noted in July 2023. “In some cases, threat actors hijack existing subscriptions to further obfuscate their operations.”

The core idea is to avoid paying for necessary infrastructure required to mine cryptocurrencies, either by taking advantage of free trials or compromising legitimate tenants to conduct cryptojacking attacks.

In October 2023, Palo Alto Networks Unit 42 detailed a cryptojacking campaign in which threat actors were found stealing Amazon Web Services (AWS) credentials from GitHub repositories within five minutes of their public disclosure to mine Monero.

Jan 11, 2024NewsroomCloud Security / Cyber Attacks

A new Python-based hacking tool called FBot has been uncovered targeting web servers, cloud services, content management systems (CMS), and SaaS platforms such as Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio.

“Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts,” SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.

FBot is the latest addition to the list of cloud hacking tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator, the latter four of which share code-level overlaps with AndroxGh0st.

SentinelOne described FBot as “related but distinct from these families,” owing to the fact that it does not reference any source code from AndroxGh0st, although it exhibits similarities with Legion, which first came to light last year.

The end goal of the tool is to hijack cloud, SaaS, and web services as well as harvest credentials to obtain initial access and monetize it by selling the access to other actors.

FBot, in addition to generating API keys for AWS and Sendgrid, packs an assortment of features to generate random IP addresses, run reverse IP scanners, and even validate PayPal accounts and the email addresses associated with those accounts.

“The script initiates the Paypal API request via the website hxxps://www.robertkalinkin.com/index.php, which is a Lithuanian fashion designer’s retail sales website,” Delamotte noted. “Interestingly, all identified FBot samples use this website to authenticate the Paypal API requests, and several Legion Stealer samples do as well.”

On top of that, FBot packs in AWS-specific features to check for AWS Simple Email Service (SES) email configuration details and determine the targeted account’s EC2 service quotas. The Twilio-related functionality, likewise, is utilized to gather specifics about the account, namely the balance, currency, and phone numbers connected to the account.

The features don’t end there, for the malware is also capable of extracting credentials from Laravel environment files.

The cybersecurity firm said it uncovered samples starting from July 2022 to as recently as this month, suggesting that it is being actively used in the wild. That said, it’s currently not known if the tool is actively maintained and how it’s distributed to other players.

“We found indications that FBot is the product of private development work, so contemporary builds may be distributed through a smaller scale operation,” Delamotte said.

“This aligns with the theme of cloud attack tools being bespoke ‘private bots’ tailored for the individual buyer, which is a theme prevalent among AlienFox builds.”