AWS Data Breaches
What’s causing data breaches on AWS?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: AWS Security | Data Breaches | Cybersecurity
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I periodically review the new to see what’s causing data breaches and how organizations can stop them. Here I’m taking a look at AWS breaches so far in 2023 mainly. See my related post on Microsoft Azure Data Breaches.
This is a pretty cool story on how AWS is stopping data breaches and detecting botnets and malware. For example:
In the case of Sandworm, AWS said the honeypot caught the actor attempting to exploit a security vulnerability affecting WatchGuard network security appliances. “With close investigation of the payload, we identified not only IP addresses but also other unique attributes associated with the Sandworm threat that were involved in an attempted compromise of an AWS customer,” it added.
Ransomware on AWS bucket
Compromise of a third-party with AWS credentials.
Malware on employee laptop via software vulnerability.
“suspicious activity within the company’s Amazon Web Services (“AWS”) environment”
S3 bucket.
“Misconfigured AWS Server”…According to Kofman, the server was integrated with the company’s Slack platform…The server was misconfigured to allow access to the reports on the server without proper authentication.
https://cybernews.com/security/wbsc-data-leak-passports/
Or a C2 server…
Found scanning containers in Dockerhub
Zenbleed — found and fixed.
Based on the above statement 62% sounds a bit high. Also this page isn’t working at the moment.
“Misconfigurations in web applications are still the primary method used by Legion to retrieve credentials,” Muir said.
A very interesting read on the Capital One breach.
The attack started with a threat actor exploiting a Kubernetes cluster, using an internal service to gain temporary credentials, and then used those credentials to enumerate other Elastic Compute Cloud (EC2) services that had been deployed in the targeted company’s infrastructure. In the end, the company — which was not named in the incident report published today — had properly limited the scope of permissions for the stolen identity, which blunted the attack.
IT giant Infosys accidentally published a file to PyPi containing AWS keys to an S3 bucket potentially containing patient data from Johns Hopkins University, publicly accessible for more than a year. (From 2022 but kind of a big deal.)
Miscreants are using expired Amazon Web Services (AWS) S3 buckets to place malicious code into a legitimate package in the npm repository without having to tinker with any code.
Ideally a source of Python libraries that developers can include in their projects to save time, PyPI has again been caught hosting packages with live Amazon Web Services (AWS) keys and data-stealing malware.
Lambda malware — 2022 but interesting.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
