Episode 35: November 21, 2022

November 21, 2022 Jim Guckin 19:5729 Comments Off

Links

Amazon RDS Instances Leaking Users’ Personal Data

Mitiga
- A cloud incident response company
- Released a shocking report
- 810 Instances Found
  - Sept 21 – Oct 20, 2022
  - 250 exposed for over 30 days
Amazon RDS
- Relational Database Service
- Web service
- Setting up relational services in AWS
- Different engines supported
  - MariaDB
  - MySQL
  - Oracle
  - PostgreSQL
Hundreds of Amazon’s RDS
- Exposing PII
  - Names
  - email addresses
  - phone numbers
  - dates of birth
  - marital status
  - car rental information
  - company logins.
Danger
- Reconnaissance
- Ransomware
- Extortion
- Phishing
How does this happen?
- RDS snapshots
  - Public feature that allows creations of “backups” of the database environment
  - Can be accessed by ALL AWS accounts
Stay Safe
- Sharing a snapshot of your DB should not have PII included
- RDS snapshots are not publicly accessible
- encrypt snapshots where applicable

new malware loader
- Infecting systems over the last few months
- VMware Carbon Black researchers tracking
- Dubbed “BatLoader”
Batloader
- batch and PowerShell scripts
  - To get initial access
- Determines if it’s on a business or personal computer
  - Personal
    - Fraud
    - Infostealing
    - banking-based payloads
      - Ursnif
  - Buisness/Organization
    - intrusion tools
      - Cobalt Strike
      - Syncro
- distribute a variety of malware tools
  - a banking Trojan
  - an information stealer
  - the Cobalt Strike post-exploit toolkit
- Resemblence
  - Conti
    - IP Address
    - Atera
      - Remote Management Tool
  - Zloader
    - Banking trojan
    - SEO Poisioning
    - Windows Installer
      - Initial foothhold
    - Powershell
    - Batch Scripts
VMware Report
- Carbon Black MDR team
  - In 90 days
  - 43 successful infections
  - Unsuccessful numerous attempts
    - victim downloaded file but didn’t execute it
  - Victims
    - 9 Business Services
    - 7 Financial Services
    - 5 Manufactoring
ESentire
- Threat hunting team
- Luring victims to fake pages
  - Download pages for popular software
    - LogMeIn
    - Zoom
    - TeamViewer
    - Anydesk
  - Used ads to get to the top of search results
- Detected attack
  - Fake LogMeIn
  - Downloaded a windows installer
    - Profiled the system
    - Get second stage payload

Server Message Block (SMB)
- Open-Source Project
- Linux and Unix systems
CVE-2022-42898 (CVSS 6.4 out of 10)
- Multiple Samba releases
- 32-bit systems impacted; 64-bit systems are not vulnerable.
- file servers are only impacted if in a non-AD domain
- in the Service for User to Proxy (S4U2proxy) handler
- affected libraries provide act as an authentication mechanism
  - by means of tickets that can contain Privilege Attribute Certificates (PACs).
  - Heimdal and MIT Kerberos libraries
- can be triggered by sending a specially crafted request to the KDC server.
  - Key Distribution Center (KDC)
  - most vulnerable is the KDC, as it will parse an
  - attacker-controlled PAC in the S4U2Proxy handler.
- suffer from an integer multiplication overflow when calculating how many bytes to allocate for a buffer for the parsed PAC.
- Successful exploitation of this bug could lead to a denial-of-service (DoS) condition or possibly remote code execution (RCE).
Remediation
- Samba 4.15.12, 4.16.7, and 4.17.3 have been released with patches for this security defect.
- Heimdal 7.7.1 also addresses this bug.