A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities.
"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and

Cloud Security / Cryptocurrency

A new ongoing campaign dubbed **EleKtra-Leak** has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities.

"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said in a technical report shared with The Hacker News.

The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023.

A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are programmatically cloning and scanning the repositories to capture the exposed keys.

The adversary has also been observed blocklisting AWS accounts that publicize IAM credentials in what's likely seen as an effort to prevent further analysis.

There is evidence to suggest that the attacker may also have been linked to another cryptojacking campaign disclosed by Intezer in January 2021 aimed at poorly secured Docker services using the same bespoke mining software.

Part of the campaign's success lies in the exploitation of blindspots in GitHub's secret scanning feature and AWS' AWSCompromisedKeyQuarantine policy to flag and prevent the misuse of compromised or exposed IAM credentials to run or start EC2 instances.

While the quarantine policy is applied within two minutes of the AWS credentials being publicly accessible on GitHub, it's being suspected that the keys are being exposed through an as-yet-undetermined method.

Unit 42 said that the "threat actor might be able to find exposed AWS keys that aren't automatically detected by AWS and subsequently control these keys outside of the AWSCompromisedKeyQuarantine policy."

In the attack chains discovered by the cybersecurity company, the stolen AWS credentials are used to perform an account reconnaissance operation, followed by creating AWS security groups and launching multiple EC2 instances across various regions from behind a virtual private network (VPN).

The cryptomining operations are conducted on c5a.24xlarge AWS instances owing to their higher processing power, allowing its operators to mine more cryptocurrency in a shorter period of time.

The mining software used to carry out cryptojacking is fetched from a Google Drive URL, highlighting a pattern of malicious actors leveraging the trust associated with widely used applications to fly under the radar.

"The type of Amazon Machine Images (AMI) the threat actor used was also distinctive," the researchers said. "The identified images were private and they were not listed in the AWS Marketplace."

To mitigate such attacks, organizations that accidentally expose AWS IAM credentials are recommended to immediately revoke any API connections using the keys, remove them from the GitHub repository, and audit GitHub repository cloning events for any suspicious operations.

"The threat actor can detect and launch a full-scale mining operation within five minutes from the time of an AWS IAM credential being exposed in a public GitHub repository," the researchers said. "Despite successful AWS quarantine policies, the campaign maintains continuous fluctuation in the number and frequency of compromised victim accounts."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

CrowdStrike is moving deeper into application security with its agreement to acquire Bionic, provider of ASPM technology that proactively scans software in production for vulnerabilities.

CrowdStrike’s acquisition of Bionic last month is an example of how the company is strengthening its cloud security offerings.

Omdia senior principal analyst Rik Turner believes Bionic will lift CrowdStrike, best known as a leading extended detection and response (XDR), into a significant player in reactive cloud security. "This deal not only takes CrowdStrike into the world of AppSec but also the proactive side of the security market," Turner wrote in a research note.

The acquisition brings Cloud Native Application Protection Platform (CNAPP) and Application Security Posture Management (ASPM) capabilities to CrowdStrike’s Falcon platform. The company plans to combine the Falcon Horizon Cloud Security Posture Management (CSPM) and Falcon Cloud Workload Protection (CWP) modules with Bionic’s technology into a unified dashboard to allow DevOps teams the ability to prioritize cloud security incidents, mitigate runtime threats and provide threat hunting, the company said. Bionic said its ASPM features proactively discovers security, data privacy, and operational risks by continuously scanning and analyzing an organization’s application architecture and software dependencies to uncover any anomalies. Notably, it provides views into the security posture of applications in production.

At CrowdStrike’s Fal.Con user event last month, CrowdStrike president Mike Sentonas demonstrated how Bionic can expand CrowdStrike’s cloud security portfolio to include cloud infrastructure entitlement management (CIEM) capabilities. Bionic can provide visibility into Amazon Web Services and Microsoft Azure applications and the third-party services they communicate with, Sentonas said.

Developers update microservices and serverless functions daily through their CI/CD pipelines. Sentonas showed how Bionic mapped 102 application services, presented their dependencies, and identified how they communicate with each other. “You can drill into each cloud and see what business applications are running,” he said.

Proactive security consists of tools that can identify and remediate vulnerabilities, excessive access permissions and misconfigurations before threat actors discover and exploit them, according to Omdia’s Turner. “It is an approach that complements rather than replaces reactive security, effectively reducing the attack surface that reactive platforms such as XDR and the SIEM/SOAR continuum must address,” Turner said.

Many CrowdStrike customers attending the Fal.Con were familiar with Bionic, and some say they intend to evaluate it, such as Prabhath Karanth, global head of security and Trust at Navan (formerly TripAdvisor). "I’ve looked at Bionic in the past, and they have really good runtime application security technology in the context of the infrastructure," Karanth says.

"It sounds like they want to approach the problem from a runtime perspective and address the problem of running your applications and containers and all of that in production," Karanth says. "Because in a distributed microservices architecture, where your application is sitting in a containerized environment, this container runtime security becomes critical. I’d like to know more. It was just announced. But I think it’s a very strategic acquisition."

Bionic gives organizations a comprehensive view of the risk associated with everything that’s running in the cloud — the applications, the microservices, and everything that’s connected to it — which really represents risk, CrowdStrike founder and CEO George Kurtz said during the opening keynote at the Fal.Con event last month.

"The beauty and the magic of this technology is that you don’t need source code, or you don’t have to plug in the libraries," Kurtz said.

What the Bionic Acquisition Can Bring to CrowdStrike

An issue was discovered in VERMEG AgileReporter 21.3. Attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log.

For a strategic solution you seek:

*   Cost reduction & risk reduction
*   Efficiency optimisation
*   Embedded regulatory change management
*   Straight through process control
*   Senior management certification obligations
*   Regulatory reporting certainty, globally
*   Machine-readable regulatory reporting readiness

**SaaS**

Reduce your TCO. Let VERMEG handle the IT complexity​

**AGILE MI**

Gain valuable insights from your regulatory data​​

**AGILE Assure**

Bring the DataOps revolution to your regulatory data management ​​

​​

**Digital Transformation**

Extend, customise and innovate with AGILE Design Studio and Veggo ​​

**AGILE Reporter value for our clients**

Calculation & allocation: Comprehensive calculations from Basel III risks to national statistical allocations

Ratios: Credit & Market Risk, Leverage, Liquidity Coverage, Large Exposures, IRFS standard computations, integration of models and own analysis reporting

International reporting: Coverage including EBA & ECB (COREP, AnaCredit etc), and multiple international regulators in EU, UK, US, and MAS, HKMA, APRA and others

Added value: Capital utilisation, CFO & management information, dashboard status, threshold alerts, key performance metrics

Change management: VERMEG regulatory change management includes horizon management, impact analyses, data deltas and reporting update service

Workflow and maximised automation: Validations, variance, trend and other sanity checks achieve optimised straight-through processing

Process control: Enjoy ‘exceptions only’ intervention & instantly traceable attestation & approval audit trail

Sized & delivered to suit you: Choose from enterprise-wide full automation, or local last mile, on premise, in the cloud or Regulatory-Reporting-As-A-Service

Download our brochure about AGILE Reporter (PDF).

Granular Data Reporting – a new paradigm of innovation in regulatory reporting or just new challenges?

**Download the Whitepaper**

**Client stories**

**Client 1  
Tier 1 Domestic Bank**

**Challenge**

*   To find a Regulatory Reporting solution capable of integrating with external calculation and processing capabilities
*   To reduce operational risk
*   To increase reporting consistency and transparency
*   To facilitate accelerated regulatory change management

**Client 2  
Neobank growing from start-up**

**Challenge**

*   To find a partner for its Finance team to assist with regulatory reporting requirements in the immediate term and the future as the organisation evolves and scales to a fully fledged bank.
*   The need for a solution/system that minimises the resource requirements of bank’s teams in the areas of Solution Delivery
*   To find a vendor to provide not just a solution but also subject matter expertise to complement the in house team, and to ensure all new regulatory reporting requirements can be met.

**Solution**

*   Provision of AGILE Reporter’s out of the box integration to Oracle’s OFSAA (Oracle Financial Services Analytical Applications) platform.
*   Improved Straight Through Processing (STP) achieved from direct coupling of outputs from OFSAA Results data to AGILE Reporter.
*   VERMEG Subject Matter Expertise around the interpretation of client requirements and business for reporting purposes and the delivery of the operational process to fulfil these.
*   Ability to incorporate data from sources outside of OFSAA into regulatory reporting workflow to ensure completeness of automated reporting coverage.

**Solution**

*   Full scope automated AGILE Reporter deployment
*   VERMEG regulatory expertise to provide guidance on current and future regulatory requirements
*   Analysis Module to facilitate Bank scrutiny of Regulatory Data
*   Hosted on VERMEG cloud platform (Amazon Web Services)

**Results**

*   Streamlined overall Regulatory Reporting workflow while minimising manual intervention in the process
*   Increased accuracy of reporting results through use of the consolidated platform
*   Transparency of process by providing lineage of reporting data from source to regulatory return

**Results**

*   Automated, end-to-end solution providing population of regulatory returns from source data without manual intervention or work arounds
*   Flexible data mapping that meets the needs of a growing business and an evolving IT Architecture
*   Consistent data lineage from source through to final returns
*   Comprehensive validation checks ensure integrity of regulator submissions
*   Cloud solution minimises burden on Bank’s technical resources with regard to both delivery and ongoing maintenance

****Awards & Certifications****

**VEREMG is delighted to share that we were recently awarded ‘Best Vendor Solution for APRA APS 220′ AND ‘Best MAS 610 Solution’ by the RegTech Insight APAC Awards 2022 for our AGILE Reporter solution.**

Read More

CVE-2022-34834: AgileReporter | Regulatory Reporting Solution by VERMEG

**PRESS RELEASE**

**CAMBRIDGE, England****,** **Oct. 26, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security AI, today unveiled a new Darktrace/Cloud™ solution based on its unique Self-Learning AI. The new solution provides comprehensive visibility of cloud architectures, real-time cloud-native threat detection and response, and prioritized recommendations and actions to help security teams manage misconfigurations and strengthen compliance. When combined with insight from Darktrace solutions for network, email, apps, zero trust and endpoint, Darktrace/Cloud provides a deeper, contextualized understanding of the risks and threats currently facing an organization's digital estate.  

According to a recent report, "Gartner® anticipates over 99 percent of cloud breaches will be based on a customer error, account takeover or misconfiguration until 2027"\[1\]. Cloud environments are constantly evolving so security professionals need to increase the level of visibility while keeping up with changing compliance, risk and security requirements. The rise of cloud-native technologies including containers, Kubernetes and microservices also require new tools and techniques for detecting and responding to known and novel threats.

"Unlike static cloud security tools that provide snapshots of a specific point in time, Darktrace/Cloud is real-time, all the time. Our Self-Learning AI continuously learns patterns between workloads, assets, policy configurations and identities to provide a dynamic view of cloud architectures. We analyze the entire cloud stack from data to control plane, combining an understanding of architecture and network with a new flexible, scalable deployment model," said Jack Stockdale, Chief Technology Officer, Darktrace. "Our innovative approach to cloud security is built on more than a decade of leadership in Cyber AI that is already protecting our customers' critical business areas from network and email to operational technology."

Available today, the new capabilities in Darktrace/Cloud include:

*   **Comprehensive visibility and architecture modeling** for insights into the constantly changing nature of cloud environments. This visibility is constructed dynamically from configuration, network, users and identity and access management (IAM) data. Darktrace establishes patterns of life for cloud resources, identities, and services to understand who has access to what and how. This is critical for detecting anomalies and unknown threats.
*   **Universal attack path modeling** provides a dynamic view of where attackers may look to move next. Darktrace brings together real-time cloud data and a deep understanding of your cloud environment with a platform approach that provides insights about risks from other covered areas of the business (e.g., network, email) to highlight potential attack paths and prioritize important assets to secure.
*   **Unique real-time and cloud-native threat detection and response** that provides a dynamic view of known and novel threats within the cloud. Darktrace combines deep cloud attack path knowledge with real-time anomaly and threat detection through cloud-native autonomous response actions, such as detaching a policy from a user or removing a workload from a security group.
*   **Prioritized cloud posture management** that starts by examining cloud configurations against common compliance frameworks. Where misconfigurations are detected, Darktrace provides a prioritized view of what to fix first, based on a risk profile generated from security and business context. Guided steps can be provided to help teams proactively address these before they become a significant issue.
*   **Cost discovery** to provide a better understanding of cloud resource allocation. This helps teams contextualize their cloud resources according to security and business priorities.
*   **Communication and collaboration capabilities** to streamline workflows between security teams and DevOps teams. Tickets can be created on demand, teams can communicate directly via messaging platforms, and alerts and anomaly detections can be sent to Security Information & Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) products and the Darktrace Mobile app so they can be alerted on the go.
*   **Flexible deployment options** include an agentless deployment by default so organizations can be up and running in minutes. Teams can use the dynamic architectural view and risk context to decide where to deploy agents for enhanced real-time actions and deeper inspection.

Sykes Cottages, a cloud-native travel agency platform in the UK, has experienced significant growth in the last five years and has relied on the cloud to help them scale throughout this period.

"When it comes to cybersecurity, having visibility and an understanding of what you've got and your risks is critical. If I don't know it's there, I can't protect it," said Jonny Mattey, Head of Cybersecurity, Sykes Cottages. "Having a holistic, live view of our cloud environment enables us to work pragmatically and use AI to cut down management time so that we can address security risks and improve our resilience."

The new Darktrace/Cloud solution is now available on Amazon Web Services (AWS) through the AWS Marketplace, a curated digital catalog that makes it easy for customers to find, buy, deploy, and manage the third-party software they need to build solutions and run their business. Darktrace and AWS have been collaborating since 2017 to help organizations secure their AWS environments. Darktrace protects AWS environments for organizations around the world including Sunwest Bank and ProPhase Labs. Darktrace is an AWS Security Competency Partner and is part of the AWS ISV Accelerate program.

"Security is job zero at AWS," said Paddy Fitzpatrick, Director – Independent Software Vendors, UK & Ireland at Amazon Web Services. "As the threat landscape continues to evolve, the availability of AI-based tools like Darktrace/Cloud on the AWS Marketplace will help customers to gain increased visibility, and respond more effectively to security risks and threats."

Darktrace first extended its Cyber AI capabilities to cloud environments in 2016, applying its world class algorithms to granular network traffic. Darktrace/Cloud was recently named Cloud Security Product of the Year for Large Enterprises by Computing Magazine in its 2023 Cloud Excellence Awards.

Learn more about the new enhancements to Darktrace/Cloud by tuning into the launch event at 11:30am ET/4:30pm BST.

**ABOUT DARKTRACE**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, is on a mission to free the world of cyber disruption. Breakthrough innovations in our Cyber AI Research Center in Cambridge, UK have resulted in over 160 patents filed and research published to contribute to the cyber security community. Rather than study attacks, Darktrace's technology continuously learns and updates its knowledge of 'you' and applies that understanding to optimize your state of optimal cyber security. Darktrace is delivering the first ever Cyber AI Loop, fueling a continuous end-to-end security capability that can autonomously spot and respond to novel in-progress threats within seconds. Darktrace employs over 2,200 people around the world and protects approximately 8,900 customers globally from advanced cyber threats. Darktrace was named one of TIME magazine's 'Most Influential Companies' in 2021. To learn more, visit http://www.darktrace.com.

SOURCE Darktrace

Darktrace Unveils Cloud-Native Security Solution Using AI

Cloudflare on Thursday said it mitigated thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited a recently disclosed flaw called HTTP/2 Rapid Reset, 89 of which exceeded 100 million requests per second (RPS).
"The campaign contributed to an overall increase of 65% in HTTP DDoS attack traffic in Q3 compared to the previous quarter," the web infrastructure

Network Security / Cyber Attack

Cloudflare on Thursday said it mitigated thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited a recently disclosed flaw called HTTP/2 Rapid Reset, 89 of which exceeded 100 million requests per second (RPS).

"The campaign contributed to an overall increase of 65% in HTTP DDoS attack traffic in Q3 compared to the previous quarter," the web infrastructure and security company said in a report shared with The Hacker News. "Similarly, L3/4 DDoS attacks also increased by 14%."

The total number of HTTP DDoS attack requests in the quarter surged to 8.9 trillion, up from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. The number of attack requests in Q4 2022 stood at 6.5 trillion.

HTTP/2 Rapid Reset (CVE-2023-44487) came to light earlier this month following an industry-wide coordinated disclosure that delved into DDoS attacks orchestrated by an unknown actor by leveraging the flaw to target various providers such as Amazon Web Services (AWS), Cloudflare, and Google Cloud.

Fastly, in a disclosure of its own on Wednesday, said it countered a similar attack that peaked at a volume of about 250 million RPS and a duration of approximately three minutes.

"Botnets that leverage cloud computing platforms and exploit HTTP/2 are able to generate up to x5,000 more force per botnet node," Cloudflare noted. "This allowed them to launch hyper-volumetric DDoS attacks with a small botnet ranging 5-20 thousand nodes alone."

Some of the top industries targeted by HTTP DDoS attacks include gaming, IT, cryptocurrency, computer software, and telecom, with the U.S., China, Brazil, Germany, and Indonesia accounting for the biggest sources of application layer (L7) DDoS attacks.

On the other hand, the U.S., Singapore, China, Vietnam, and Canada emerged as the main targets of HTTP DDoS attacks.

"For the second consecutive quarter, DNS-based DDoS attacks were the most common," the company said. "Almost 47% of all attacks were DNS-based. This represents a 44% increase compared to the previous quarter. SYN floods remain in second place, followed by RST floods, UDP floods, and Mirai attacks."

Another notable change is the decrease in ransom DDoS attacks, which Cloudflare said "is because threat actors have realized that organizations will not pay them."

The disclosure comes amid internet traffic fluctuations and a spike in DDoS attacks in the aftermath of the Israel-Hamas war, with Cloudflare repelling several attack attempts aimed at Israeli and Palestinian websites.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Record-Breaking 100 Million RPS DDoS Attack Exploits HTTP/2 Rapid Reset Flaw

An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.

Avoid crashing bgpd.

\`\`\`
(gdb)
bgp\_mp\_reach\_parse (args=<optimized out>, mp\_update=0x7fffffffe140) at bgpd/bgp\_attr.c:2341
2341			stream\_get(&attr->mp\_nexthop\_global, s, IPV6\_MAX\_BYTELEN);
(gdb)
stream\_get (dst=0x7fffffffe1ac, s=0x7ffff0006e80, size=16) at lib/stream.c:320
320	{
(gdb)
321		STREAM\_VERIFY\_SANE(s);
(gdb)
323		if (STREAM\_READABLE(s) < size) {
(gdb)
34	  return \_\_builtin\_\_\_memcpy\_chk (\_\_dest, \_\_src, \_\_len, \_\_bos0 (\_\_dest));
(gdb)

Thread 1 "bgpd" received signal SIGSEGV, Segmentation fault.
0x00005555556e37be in route\_set\_aspath\_prepend (rule=0x555555aac0d0, prefix=0x7fffffffe050,
    object=0x7fffffffdb00) at bgpd/bgp\_routemap.c:2282
2282		if (path->attr->aspath->refcnt)
(gdb)
\`\`\`

With the configuration:

\`\`\`
 neighbor 127.0.0.1 remote-as external
 neighbor 127.0.0.1 passive
 neighbor 127.0.0.1 ebgp-multihop
 neighbor 127.0.0.1 disable-connected-check
 neighbor 127.0.0.1 update-source 127.0.0.2
 neighbor 127.0.0.1 timers 3 90
 neighbor 127.0.0.1 timers connect 1
 address-family ipv4 unicast
  redistribute connected
  neighbor 127.0.0.1 default-originate
  neighbor 127.0.0.1 route-map RM\_IN in
 exit-address-family
!
route-map RM\_IN permit 10
 set as-path prepend 200
exit
\`\`\`

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

CVE-2023-46752: bgpd: A couple more bgpd crashes on malformed attributes by ton31337 · Pull Request #14645 · FRRouting/frr

In today's digital landscape, around 60% of corporate data now resides in the cloud, with Amazon S3 standing as the backbone of data storage for many major corporations. 
Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for

Ransomware/ Malware Threat

In today's digital landscape, around 60% of corporate data now resides in the cloud, with Amazon S3 standing as the backbone of data storage for many major corporations.

Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. It remains susceptible to ransomware attacks which are often initiated using leaked access keys that have accidentally been exposed by human error and have access to the organization's buckets.

To effectively combat these evolving threats, it is vital to ensure that your organization has visibility into your S3 environment, that you are aware of how threat actors can compromise data for ransom and most importantly, best practices for minimizing the risk of cyber criminals successfully executing such an attack.

****Ensuring Visibility: CloudTrail and Server Access Logs****

Visibility serves as the foundation for any effective detection strategy. In Amazon S3, nearly every action translates to an API call, which are meticulously recorded in CloudTrail and documented in AWS documentation.

The two primary options for logging activity in S3 buckets — CloudTrail Data Events and Server Access Logs — hold a wealth of information that security practitioners must leverage to anticipate and detect suspicious activity. Each offer distinct advantages and trade-offs:

*   Cloud Trail Data Events: offer visibility into resource operations performed on or within a resource in real-time, but comes with potential cost implications due to high API call volumes
*   Server Access Logs: free access to records for each request made to your S3 bucket, but come with potential delays in log availability and potential logging with less integrity.

The advantages and trade-offs between Server Access Logs and AWS CloudTrial logs.

****Mitigating Risk by Understanding the Attack Scenarios****

Utilizing the above logs to ensure adequate visibility, it is possible to keep an eye out for potential attack scenarios in order to mitigate risks effectively. There are three main attack scenarios that we observe with S3 ransomware attacks, all which can prevent an organization from accessing its data. Below are the attack scenarios, along with links to hunting queries that the expert threat hunting team from Hunters' Team Axon has shared publicly that allow anyone to search for these attack scenarios within their own environments:

1.  Object Encryption: ransomware commonly involves file encryption to deny an organization access to their files, harm business operations and demand ransom for getting the files back

1.  Hunting Query: https://github.com/axon-git/threat-hunting-tools/blob/main/S3%20Ransomware/s3\_ransomware\_objects\_encrypted\_with\_a\_kms\_key\_not\_owned\_by\_the\_organization.sql

3.  Object Deletion - Delete Operations: deleting all objects from a bucket is an easy way for threat actors to have a major impact on business operations, improving the chances of victims paying ransoms

1.  Hunting Query: https://github.com/axon-git/threat-hunting-tools/blob/main/S3%20Ransomware/s3\_ransomware\_unauthorized\_object\_deletions.sql

5.  Object Deletion - Lifecycle Policy: a less straightforward but quieter way to delete files in Cloudtrail that still offers high chances of a paid ransom

1.  Hunting Query: https://github.com/axon-git/threat-hunting-tools/blob/main/S3%20Ransomware/s3\_ransomware\_unauthorized\_deletion\_using\_bucket\_lifecycle.sql

_\*Note: Object Encryption and Object Deletion - Delete Operations require enabling Cloudtrail Data Events for the appropriate buckets._

Each scenario poses significant disruptions, potentially preventing organizations from accessing critical data. By delving into the required permissions, attacker perspectives, and detection methods for each scenario, organizations can proactively prepare for potential threats.

****Protection and Best Practices****

Understanding the attack scenarios helps to provide context for how to implement proactive measures to significantly reduce the attack surface. There are several things that can be done to enhance the security of S3 buckets from the threat of ransomware.

*   Use IAM roles for short-term credentials: avoid using static IAM access keys. If you are using IAM users, be sure to enable Multi-Factor Authentication (MFA) for them.
*   Follow the principle of least privilege: this ensures that users and roles only possess the permissions necessary for their tasks. Additionally, utilize bucket policies to restrict access to these essential resources.
*   Enable S3 Versioning: this means keeping record of every version of every object stored in your bucket instead of directly modifying it. This is very effective against unauthorized override or deletions.
*   Enable S3 Object Lock: operating on a write-once, read-many (WORM) model, means that your data cannot be deleted by anyone (the data is "locked") which safeguards against modifications for defined time periods.
*   Set up AWS Backup/Bucket Replication: this can be any form of backup that is separate in location and access control from your actual bucket.
*   Implement server-side encryption with AWS KMS keys: this provides your organization with specific control over who can access bucket objects. This supplies yet another level of protection against who can encrypt and decrypt objects in your bucket.

****Conclusion****

As data volumes continue to surge, securing Amazon S3 is paramount in safeguarding millions of organizations against ransomware attacks and evolving cyber threats.

Prioritizing threats, ensuring visibility through CloudTrail and Server Access Logs, and implementing proactive measures are essential steps in mitigating risk. By adopting these strategies, organizations can fortify their S3 buckets' protection and ensure the integrity and security of their critical data.

For a more in depth breakdown of common attack scenarios and best practices, check out a video deep dive from Team Axon. Team Axon is the expert threat hunting arm of the popular SIEM replacement Hunters, and offers rapid response to emerging cyber threats, on-demand cyber expertise and proactive threat hunting across customers' environments. Follow Team Axon on X for timely updates on emerging cyber threats and premiere cyber content.

****Additional S3 Resources:****

*   AWS Customer Playbook (GitHub)
*   Incident Response Workshop for S3 ransomware (AWS)

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Rise of S3 Ransomware: How to Identify and Combat It

Zatik takes a fractional approach to AppSec leadership to help small firms access the expertise they need to build secure-by-design software.

One of the fundamental principles of secure-by-design software development is that organizations need to account for security concerns right out of the gate. It's built into the way the applications are designed, architected, and coded. The trouble for small companies that build software is that it can be really hard for them to access and pay for the kind of application security expertise necessary to fold that kind of accountability into the engineering or DevOps process. And so small companies build and ship their software — oftentimes innovative applications upon which their whole business model is based — without much consideration for security.

By the time a startup has "grown up" and built its business big enough to feasibly hire some application security professionals, secure-by-design has already gone out the window. The software stack has already accumulated a ton of security technical debt. That new AppSec team is behind the eight ball before they even start. And without expensive refactoring, oftentimes all they can do is bolt on security controls or apply Band-Aids to security problems that may run very deep.

It's an age-old problem, and one that's simply not practical to get all preachy about to small business owners or small dev teams.

"Experienced application security people are in short supply, and they're getting hoovered up by the big companies, by the Microsofts, Amazons, Apples, and Googles of the world, and if you are a smaller company, you're just not competing on that playing field," explains Kymberlee Price, who has led product security and AppSec teams, worked as a security researcher, and run red team and incident response operations for the likes of Microsoft, Amazon, and Bugcrowd.

Price has been around the block enough to recognize that not only are best-in-class product security pros and security-aware developers still the "unicorns" of the software engineering market, but also that most small businesses aren't big enough to even have enough work to keep one of them busy for very long.

"They don't need a unicorn full time. They need a unicorn maybe for a quarter to set some strategy, and then they need 10% of a unicorn for the rest of the year," she says.

**Sharing the Unicorns**

This is the underlying problem Price hopes to alleviate with her new consulting firm, Zatik. Together with co-founder Jon Callas, another security luminary known for founding PGP and Silent Circle, Price hopes to level the software security playing field for startups and small businesses. Zatik is a fractional security consulting firm that helps companies tap into that small percentage of unicorn-level AppSec expertise that they need to get a security program up and running. It's built in the same mold as a virtual CISO (vCISOs), with a slightly different focus.

"We love virtual CISOs. But they're frequently enterprise-focused and compliance-focused. And we're more looking at, how do you build your product securely by design, the DevOps pipeline, CI/CD, security controls, and things like that," Price explains. "So it's a really nice complement to that fractional model."

For some companies, if they're early enough in their arc, they may need the full package of building out an entire cybersecurity program — something she and Callas are equipped to help them navigate.

"Our sweet spot really is securing the developer experience, but we can help them look at their tech stack, make some recommendations, and make some introductions to other partners," says Price.

She says that she and Callas currently run the company themselves, but they plan on adding more staff as Zatik scales and also leaning on a network of partners to provide additional expertise in areas as necessary for their clients.

"I mean, I can't help you secure your product if you have no employee access control," Price says. "So we wouldn't turn our nose up at other areas."

Ultimately, the goal is to help smaller companies develop that security-by-design ethos from the outset. Price sees that not only as a great business opportunity, but a way to move the needle on security across the tech world.

"One of the things I love about the kind of small companies we're talking to is we're getting in early in their maturity cycle," she says. "So as they're growing, they're growing with a secure-by-design platform where the engineers they're hiring and managing understand that this is 'just how we do it.' Of course we have branch protection, of course we do these things because it was there from day one, versus the security team showing up later and demanding that they have to change things."

Do Small Companies Need Fractional AppSec Teams Akin to Virtual CISOs?

Ubuntu Security Notice 6439-2 - It was discovered that the IPv6 implementation in the Linux kernel contained a high rate of hash collisions in connection lookup table. A remote attacker could use this to cause a denial of service. Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in the Linux kernel contained a race condition, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6439-2  
October 23, 2023

linux-aws vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems

Details:

It was discovered that the IPv6 implementation in the Linux kernel  
contained a high rate of hash collisions in connection lookup table. A  
remote attacker could use this to cause a denial of service (excessive CPU  
consumption). (CVE-2023-1206)

Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in  
the Linux kernel contained a race condition, leading to a null pointer  
dereference vulnerability. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-31083)

Ross Lagerwall discovered that the Xen netback backend driver in the Linux  
kernel did not properly handle certain unusual packets from a  
paravirtualized network frontend, leading to a buffer overflow. An attacker  
in a guest VM could use this to cause a denial of service (host system  
crash) or possibly execute arbitrary code. (CVE-2023-34319)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a null pointer dereference vulnerability in some  
situations. A local privileged attacker could use this to cause a denial of  
service (system crash). (CVE-2023-3772)

Kyle Zeng discovered that the networking stack implementation in the Linux  
kernel did not properly validate skb object size in certain conditions. An  
attacker could use this cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-42752)

Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did  
not properly calculate array offsets, leading to a out-of-bounds write  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-42753)

Kyle Zeng discovered that the IPv4 Resource Reservation Protocol (RSVP)  
classifier implementation in the Linux kernel contained an out-of-bounds  
read vulnerability. A local attacker could use this to cause a denial of  
service (system crash). Please note that kernel packet classifier support  
for RSVP has been removed to resolve this vulnerability. (CVE-2023-42755)

Bing-Jhong Billy Jheng discovered that the Unix domain socket  
implementation in the Linux kernel contained a race condition in certain  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4622)

Budimir Markovic discovered that the qdisc implementation in the Linux  
kernel did not properly validate inner classes, leading to a use-after-free  
vulnerability. A local user could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-4623)

Alex Birnberg discovered that the netfilter subsystem in the Linux kernel  
did not properly validate register length, leading to an out-of- bounds  
write vulnerability. A local attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2023-4881)

It was discovered that the Quick Fair Queueing scheduler implementation in  
the Linux kernel did not properly handle network packets in certain  
conditions, leading to a use after free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4921)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.4.0-1124-aws      4.4.0-1124.130  
   linux-image-aws                 4.4.0.1124.121

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6439-2  
   https://ubuntu.com/security/notices/USN-6439-1  
   CVE-2023-1206, CVE-2023-31083, CVE-2023-34319, CVE-2023-3772,  
   CVE-2023-42752, CVE-2023-42753, CVE-2023-42755, CVE-2023-4622,  
   CVE-2023-4623, CVE-2023-4881, CVE-2023-4921

Ubuntu Security Notice USN-6439-2

Hamas has threatened to broadcast videos of hostage executions. With the war between Israel and Hamas poised to enter a new phase, are social platforms ready?

For the past decade, social media platforms have struggled to stop the spread of extremist violence livestreamed on their platforms. Now they face a much different problem: This time, they know what’s coming.

In the days after Hamas attacked Israel on October 7, the group’s military wing said it would kill an Israeli hostage every time Israel launched an attack on Gaza. Abu Obeida, a spokesperson for the al-Qassam Brigades, added that these executions would be broadcast “in audio and video.” As of today, Hamas is holding 220 people hostage, according to the Israel Defense Forces.

Amid the October 7 attack, one person livestreamed footage showing Hamas fighters murdering Israeli citizens—a clip of which was later shared by Donald Trump Jr. on X. And in the days after the attack, Hamas hijacked the accounts of those hostages on platforms like Facebook and Instagram to livestream attacks and issue death threats.

In response, tech companies appeared to take things seriously.

Meta launched a “special operations center” to track content on Facebook, Instagram, and Threads. TikTok activated its “command center.” X (formerly Twitter) mobilized its “cross-company leadership group.” YouTube activated its “intelligence desk.” And Reddit tells WIRED its “safety team” is on alert.

But when WIRED asked for specific details about how they are going to prevent bad actors from weaponizing the platforms’ livestreaming capabilities, none of the companies offered any specific details, instead pointing to their general online guidance about livestreaming policies, if they responded at all. For example, Meta directed WIRED to a 2019 blog post from chief information security officer Guy Rosen about how the company was planning to curb the use of its livestream products in the wake of the Christchurch massacre, during which a gunman killed 51 people at a mosque in New Zealand in March of that year.

Despite the press releases indicating all-hands-on-deck attention to the livestreaming problem, industry experts say social media companies are showing a lack of transparency and an unwillingness to take the measures needed to prevent execution videos from spreading on their platforms, such as suspending livestreaming capabilities completely during the Israel-Hamas war.

“Hamas’ threats to execute these people on livestreams is happening because it’s possible for them to broadcast it,” Imran Ahmed, the founder and CEO of Center for Countering Digital Hate, a nonprofit that tracks hate speech on social platforms, tells WIRED. “They’re doing this for the spectacle because it terrorizes us. If we took away their ability to generate that spectacle, would they be doing this? What comes first, the livestream or the execution?”

Ahmed alleges that the companies are failing to implement systems that automatically detect violent extremist content as effectively as they detect some other kinds of content. “If you have a snatch of copyrighted music in your video, their systems will detect it within a microsecond and take it down,” Ahmed says, adding that “the fundamental human rights of the victims of terrorist attacks” should carry as much urgency as the “property rights of music artists and entertainers.”

The lack of details about how social platforms plan to curb the use of livestreams is, in part, because they are concerned about giving away too much information, which may allow Hamas, Palestinian Islamic Jihad (PIJ), and other militant groups or their supporters to circumvent the measures that are in place, an employee of a major platform who was granted anonymity because they are not authorized to speak publicly claimed in a communication with WIRED.

Adam Hadley, founder and executive director of Tech Against Terrorism, a United Nations-affiliated nonprofit that tracks extremist activity online, tells WIRED that while maintaining secrecy around content moderation methods is important during a sensitive and volatile conflict, tech companies should be more transparent about how they work.

“There has to be some degree of caution in terms of sharing the details of how this material is discovered and analyzed,” Hadley says. “But I would hope there are ways of communicating this ethically that don’t tip off terrorists to detection methods, and we would always encourage platforms to be transparent about what they’re doing.”

The social media companies say their dedicated teams are working around the clock right now as they await the launch of Israel’s expected ground assault in Gaza, which Hadley believes could trigger a spate of hostage executions.

And yet, for all of the time, money, and resources these multibillion-dollar companies appear to be putting into tackling this potential crisis, they are still reliant on Tech Against Terrorism, a tiny nonprofit, to alert them when new content from Hamas or PIJ, another paramilitary group based in Gaza, is posted online.

Hadley says his team of 20 typically knows about new terrorist content before any of the big platforms. So far, while tracking verified content from Hamas’ military wing or the PIJ, Hadey says the volume of content on the major social platforms is “very low.”

“Examples that we can find on large platforms of that official content are in the thousands, so not a lot of examples, compared with significantly more on Telegram,” Hadley says. “We are sharing alerts to 60 platforms who have been implicated with \[Hamas\] and PIJ content to date, but very low volumes are present.”

Hamas is banned on Facebook, Instagram, YouTube, and TikTok, so it has typically not used these mainstream platforms to any great extent, though X said earlier this month that it had removed hundreds of Hamas-affiliated accounts. Instead, Hamas prefers to use Telegram.

“Because the use of Telegram is so widespread and simple, we will assume they will continue to do this because terrorists prioritize platforms they can use most easily,” Hadley says, “and why would they bother with anything other than Telegram?”

Meta, X, and YouTube collaborate to share information about what they are seeing on the platforms. Telegram does not take part in such partnerships. While it has blocked some channels in certain jurisdictions, Telegram has typically taken a hands-off approach to content moderation, meaning Hamas and related groups have been mostly free to post whatever content they like on its platform.

Telegram did not respond to WIRED’s questions about how it would deal with execution videos on its platform, nor did X or Twitch. Discord declined to provide an on-the-record comment.

While Hadley sees Telegram as the primary concern, mainstream platforms are still at risk of facilitating the spread of this content. Videos can easily be downloaded from Telegram and reposted on any other platform, which is where the mainstream social media networks face the challenge of stopping them.

When asked to provide more details about their efforts, Meta and TikTok directed WIRED to their policy pages outlining the work they are doing to prevent the spread of these videos. YouTube spokesperson Jack Malon tells WIRED that “our teams are working around the clock to monitor for harmful footage across languages and locales.” A Reddit spokesperson says the company has “dedicated teams with linguistic and subject-matter expertise actively monitoring the conflict and continuing to enforce Reddit’s Content Policy across the site.”

One of the key ways that tech companies try to keep violent extremist content from going viral on their platforms is by using what are known as hashing databases. When content from a terrorist organization is identified, it is “hashed” to create a unique identifier that can then be shared among all companies to automatically prevent that video or image from being reshared elsewhere.

The sharing of these hashes and communication around incidents like the Israel-Hamas war are coordinated by the Global Internet Forum to Counter Terrorism (GIFCT), a small team of experts whose mission is to stop tech platforms from being exploited by violent extremists. The group was founded in 2017 by Facebook, Microsoft, X (then Twitter), and YouTube as a way of centralizing and coordinating the sharing of information. Companies like Dropbox, Amazon, Pinterest, and Zoom also provide funding to the group.

GIFCT did not provide a spokesperson to answer WIRED’s questions, but a statement on the group’s website says it is “providing regular situational awareness across member companies and support in addressing content relating to this conflict that violates their platform policies.”

Even when mainstream platforms have access to a shared database of verified terrorist content and centralized communications with experts who are tracking this content closely, they still have a lot of work to do in order to prevent violent videos from spreading on their platforms.

“This will be a big litmus test for the mainstream platforms,” Hadley says. “We would expect their algorithmic systems to be able to detect the \[Hamas\] logo, for instance, and respond accordingly. So actually, we’re quietly confident that those platforms will be alright to handle it. And I would hope that they’ve been training their algorithms in anticipation of this, based on the very large amounts of existing content from \[Hamas and PIJ\]. But unfortunately, we have no insight into that at all.”

Tag

#amazon