Canary Trap’s Bi-Weekly Cyber Roundup – Canary Trap

Canary Trap’s Bi-Weekly Cyber Roundup - Canary Trap


Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

In this week’s roundup, we will bring you up to speed on the newest Azure vulnerability. We will cover what steps the FCC is taking to combat cybercrime. Then we will tell you who supposedly leaked the New York Times source code. After that, we will review the massive cyber attack at Christie’s which impacted 45,000 people. Lastly, we shine a light on the latest development in the Snowflake breach.

  • Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers

Microsoft has issued a warning about the potential misuse of Azure Service Tags by malicious actors to forge requests from trusted services and bypass firewall rules, which could lead to unauthorized access to cloud resources. The Microsoft Security Response Center (MSRC) emphasized that service tags should not be treated as a sole security measure but rather as part of a broader validation strategy. Service tags should be used primarily as a routing mechanism alongside other validation controls to prevent web request vulnerabilities.

This alert follows findings from cybersecurity firm Tenable, revealing that Azure customers who rely solely on service tags for their firewall rules are at risk of being bypassed. Although there is no current evidence of this feature being exploited, the issue remains significant. The core problem lies in the fact that some Azure services permit inbound traffic through a service tag, which could potentially allow an attacker in one tenant to craft web requests to access resources in another tenant, provided the configuration allows traffic from the service tag without performing its own authentication.

At least ten Azure services have been identified as vulnerable, including Azure Application Insights, Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio. This vulnerability allows attackers to control server-side requests and impersonate trusted Azure services, thereby bypassing network controls that are typically used to prevent public access to internal assets, data, and services of Azure customers. This flaw enables attackers to circumvent network controls based on service tags, thus posing a significant security risk. In response to the disclosure made in late January 2024, Microsoft has updated its documentation to clarify that service tags alone are insufficient for securing traffic. The nature of the service and the traffic it sends must also be considered to ensure robust security.

Microsoft advises customers to review their use of service tags and implement additional security guardrails to authenticate only trusted network traffic. This includes adopting measures beyond service tags to ensure a comprehensive security posture for protecting cloud resources from unauthorized access.

  • FCC Approves $200M for Cybersecurity in Schools

The U.S. Federal Communications Commission (FCC) has approved a $200 million pilot program to enhance cybersecurity in schools and libraries. This initiative will allocate funds from the Universal Service Fund to help these institutions upgrade their data and network security equipment. In return, the FCC will collect data on the equipment used, aiming to develop a comprehensive cybersecurity program.

Proponents emphasized the urgent need for improved cybersecurity in light of the increasing ransomware attacks on school districts. Notable incidents include ransomware attacks on school districts in Scranton, Pennsylvania; Prince George’s County, Maryland; and Los Angeles, which have highlighted the vulnerabilities and significant recovery challenges faced by educational institutions.

FCC Chairwoman Jessica Rosenworcel spearheaded the pilot program as part of a broader technology funding package. She cited numerous ransomware incidents to underscore that many schools not only lack adequate cybersecurity defenses but are also ill-equipped to handle the aftermath of such attacks. Rosenworcel noted that recovery from a ransomware attack could take up to nine months and cost millions, expenses that schools typically do not budget for. Commissioner Geoffry Starks also supported the program, emphasizing the substantial risks associated with breaches in schools. He pointed out that schools manage vast amounts of sensitive data, including Social Security numbers, health records, disciplinary records, and other personally identifiable information. This makes them attractive targets for cybercriminals, particularly because schools often lack the resources and cyber expertise necessary to defend against sophisticated attacks. The approved funds will not impact the existing e-rate program, which provides financial support for schools and libraries to install or upgrade their internet services and network hardware. This separation ensures that efforts to enhance cybersecurity will not detract from ongoing initiatives to improve internet access and infrastructure.

The pilot program aims to address the growing cybersecurity threats faced by schools and libraries by providing them with the necessary tools and support to bolster their defenses. As the FCC collects data from this initiative, it plans to use the insights gained to inform the development of a larger, more comprehensive cybersecurity rollout in the future. This proactive approach is designed to ensure that educational institutions are better protected against cyber threats and can safeguard the sensitive information they hold.

  • New York Times’s Source Code Leaks Online via 4chan

A 4chan user claims to have leaked 270GB of internal New York Times data, including source code and web assets, via the notorious image board. The alleged leak encompasses “basically all source code belonging to The New York Times Company,” amounting to approximately 5,000 repositories and 3.6 million files, now purportedly available for download from peer-to-peer networks. Details on accessing the files were shared by the poster on 4chan.

While The Register has seen a list of the purportedly leaked files, it has not verified their legitimacy, and The New York Times has not responded to inquiries. The listed files, which allegedly include everything from Wordle blueprints to email marketing campaigns and ad reports, reportedly have “less than 30” repositories encrypted, according to the 4chan user. However, this claim should be approached with skepticism due to the anonymity and unreliability of the source. If authentic, the leak could pose significant issues for The New York Times, given the scope of the stolen data. The filenames suggest a large amount of JavaScript and TypeScript, along with some personal information. The data might be largely scraped from the public site or genuinely stolen.

This incident follows previous cyberattacks on The New York Times. In 2013, the Syrian Electronic Army targeted the newspaper and other media outlets, disrupting website access and defacing pages. The Register also faced a failed spear-phishing attack by the same group, which led to the introduction of mandatory multi-factor authentication. In 2016, suspected Russian cyber-spies infiltrated email inboxes belonging to The New York Times and other American news organizations.

  • Christie’s Says Ransomware Attack Impacts 45,000 People

Christie’s auction house has reported a data breach affecting approximately 45,000 individuals due to a recent ransomware attack. Discovered on May 9, the breach led to the theft of files containing personal information, including names, driver’s license numbers, and non-driver identification card numbers. Affected individuals are being offered 12 months of identity theft and fraud monitoring services, indicating that sensitive data was compromised. The RansomHub ransomware group has claimed responsibility for the attack, asserting that they stole information such as names, birth dates, addresses, and data from identification documents. They claim the breach impacted at least 500,000 Christie’s clients globally, though ransomware groups often exaggerate their successes. On their leak site, RansomHub stated that they sold the stolen data, but ransomware experts doubt this, suggesting the group may be trying to avoid admitting their failure to monetize the data.

The incident underscores the ongoing threat posed by ransomware attacks and the importance of robust cybersecurity measures to protect sensitive information.

  • The Number of Known Snowflake Customer Data Breaches Is Rising

In recent cybersecurity developments, LendingTree subsidiary QuoteWizard and automotive parts provider Advance Auto Parts have been identified as victims in a series of data breaches targeting Snowflake-hosted cloud databases. The breaches have exposed vulnerabilities in customer accounts secured with single-factor authentication, leveraging credentials obtained through infostealing malware.

Snowflake, a prominent cloud data storage and analytics company with over 9,800 global customers, including major corporations like Mastercard, Honeywell, and Pfizer, has been embroiled in a data breach scandal. The breaches, first reported ten days ago, revealed that attackers began targeting Snowflake’s cloud-based platform in April 2024. Snowflake’s ongoing investigation suggests that the attackers accessed accounts using compromised credentials and highlights the absence of multi-factor authentication (MFA) as a critical factor in these breaches.

Several notable organizations have been named in connection with the breaches, like Santander Group, TicketMaster, LendingTree, and Advance Auto Parts. Additionally, over 500 login credentials and web addresses for Snowflake environments were discovered on a site frequented by would-be attackers, indicating a broader exposure than initially reported.

In response to the breaches, Snowflake CISO Brad Jones, reiterated that neither Snowflake’s platform vulnerability nor misconfiguration were to blame. Instead, the breaches resulted from compromised credentials and insufficient security controls by customers. Snowflake is now working closely with affected customers to enhance their security measures. The company plans to mandate advanced security controls, including MFA and network policies, especially for privileged accounts. The attackers, identified as UNC5537, aggregated credentials from various infostealer logs available on both free and paid platforms across the dark web. Many affected accounts had not rotated their credentials for up to four years and lacked network allow lists to limit access to trusted locations.

The breaches underscore the importance of robust security practices, particularly MFA, which Snowflake plans to enforce more stringently. The shared responsibility model in cloud security places the onus on customers to implement these controls. However, the lack of initial enforcement by Snowflake and the breaches affecting Snowflake-hosted databases highlight that organizations must enforce stringent access controls and regularly update security protocols to safeguard sensitive data. Snowflake’s response, including the upcoming mandatory MFA enforcement, represents a critical step in mitigating future risks and enhancing overall cybersecurity resilience.

References:

Share post:



Source link
lol

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news. In this week’s roundup, we will bring you up to…

Leave a Reply

Your email address will not be published. Required fields are marked *