Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware
An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that’s commonly associated with Chinese hacking crews.
Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and Read More
The Hacker News | #1 Trusted Cybersecurity News Site
A Costly Mistake: How an Empty S3 Bucket Led to a Massive AWS Bill
[[{“value”:”
AWS Customer Faces Massive Bill Due to Open-Source Tool Misconfiguration.
In a startling incident, an AWS customer faced a staggering $1,300 bill for S3 usage, despite creating a single, empty bucket for testing purposes.
The culprit? A popular open-source tool with a default configuration that stored backups in the customer’s S3 bucket, leading to a deluge of unauthorized requests.
The customer, who remained anonymous, shared their experience in a detailed blog post, shedding light on the unexpected costs and potential security risks associated with misconfigured tools and S3 bucket naming conventions.
The Unexpected Bill
After creating a private S3 bucket in the eu-west-1 region for a proof-of-concept document indexing system, the customer was shocked to discover nearly 100,000,000 S3 PUT requests executed within a single day, resulting in a bill exceeding $1,300.
The Root Cause: Misconfigured Open-Source Tool
Upon investigation, the customer discovered that a popular open-source tool had a default configuration that used the same bucket name as their private S3 bucket for storing backups.
As a result, every deployment of this tool with the default configuration attempted to store its backups in the customer’s bucket, leading to a massive influx of unauthorized requests.
In a response from AWS support, the customer learned that S3 charges for unauthorized requests (4xx errors) as well, even if the requests are denied.
This meant that the customer was responsible for paying for the millions of unauthorized requests made to their bucket.
In a concerning experiment, the customer briefly made their bucket public for writes, collecting over 10GB of data within 30 seconds.
“One of the popular open-source tools had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they used… the same name that I used for my bucket. This meant that every deployment of this tool with default configuration values attempted to store its backups in my S3 bucket!” user informed via blog post.
This highlighted the potential for data leaks and security breaches due to misconfigured systems attempting to write data to unintended S3 buckets.
The incident underscored several important lessons:
Bucket Naming Conventions: Adding random suffixes to S3 bucket names can enhance security by reducing vulnerability to misconfigured systems or intentional attacks.
Specifying AWS Regions: When executing numerous requests to S3, explicitly specifying the AWS region can avoid additional costs from S3 API redirects.
Unauthorized Request Charges: AWS charges for unauthorized requests, even if denied, which can lead to unexpected costs if not properly monitored.
Recommendations
The customer reported the issue to the maintainers of the vulnerable open-source tool, who promptly fixed the default configuration. However, existing deployments may still be affected.
AWS was notified, but they were unwilling to address misconfigurations of third-party products. The customer also attempted to inform companies whose data was in their bucket, but received no response.
Ultimately, AWS cancelled the customer’s S3 bill as an exception but emphasized that such exceptions are not guaranteed.
This incident is a cautionary tale for AWS customers to carefully monitor their S3 usage, implement secure bucket naming conventions, and be aware of the potential costs and security risks associated with misconfigured tools and unauthorized requests.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
New Fake E-Shopping Attack Hijacking Users Banking Credentials
[[{“value”:”
A fake e-shop scam campaign has been targeting Southeast Asia since 2021, as CRIL observed a surge in activity in September 2022, with the campaign expanding from Malaysia to Vietnam and Myanmar.
The attackers use phishing websites to distribute a malicious APK (Android application package), which steals user credentials through SMS and can now also take screenshots and utilize accessibility services on the victim’s device, giving the attackers more control.
Cybercriminals have launched a fake e-shop campaign in Malaysia since 2021 by impersonating cleaning services on social media, tricking victims into contacting them via WhatsApp.
The malware specifically targeted login credentials for Malaysian banks, including Hong Leong, CIMB, Maybank, and others, demonstrating a growing trend of social engineering tactics combined with phishing attacks to steal banking information.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
A fake e-shop campaign observed by Cyble has been expanding its operations across Southeast Asia, where attackers use phishing websites disguised as legitimate payment gateways to distribute malware.
Phishing site involved in fake e-shop campaign to target Vietnam
The malware then delivers fake login pages designed to steal bank credentials; in Vietnam, the campaign targeted HD Bank customers with a website mimicking the bank’s online portal.
phishing website used in sample targeting Myanmar
They also used a command and control server to manage the malicious operation, as in Myanmar, the campaign used a similar tactic but targeted different banks and employed a Burmese language phishing page.
A new wave of phishing sites targeting Malaysian online shoppers has been identified by mimicking legitimate e-commerce platforms that lack sophistication and offer only basic features and fake iOS download buttons.
Latest phishing site in fake e-shop campaign
The malware behind the scam has also been updated, incorporating features like screen sharing and exploiting accessibility services to steal user data.
The latest version targets 18 Malaysian banks and utilizes two URLs, one for phishing and control and another for screen sharing.
Technical Details:
eCart malware disguises itself as a shopping app but is designed to steal user data. Upon installation, it requests accessibility permission to perform automatic clicks and gestures.
Malware initiating screen capture feature
It then communicates with remote servers to initiate screen sharing and send logs, utilizing the Janus plugin to control gestures and obfuscate strings with Paranoid to hinder analysis.
Admin panel of Remote server
It attempts to replace the default SMS app and gain screen capture permissions where screen sharing wasn’t functional due to misconfiguration; its inclusion suggests the malware’s potential for more sophisticated attacks.
The malware campaign uses fake e-shops to trick users into logging in with stolen credentials, which then presents fake products and uses a fake FPX payment page to steal banking information from 18 Malaysian banks.
According to Cyble, the attackers have upped their game by adding screen-sharing and exploiting accessibility services, showing an effort to target a wider audience and steal more data.
Fake login and registration pages
They use a phishing email (T1660) containing a malicious e-shop app link (hxxps://www[.]worldshopping-global[.]com/) to gain initial access (TA0027).
Payment methods provided by fake e-shop
Once installed, the malware registers broadcast receivers (T1624.001) to steal incoming SMS messages (T1636.004) and inject inputs (T1516) to potentially mimic user actions.
It also captures screenshots (T1513) using a Janus WebRTC plugin, and exfiltrated data, including SMS messages, is sent to a command and control server (T1646) at hxxps://superbunapp[.]com.
The attackers also use similar tactics with a fake trading application distributed via a different phishing website (hxxps://ecart-global[.]com).
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
Microsoft Copilot fixed worldwide after 24 hour outage
After over a 24-hour outage, Microsoft’s Bing, Copilot, and Copilot in Windows services are back online worldwide, with no information released as to what caused the problem. […] Read More