One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 979003 |
| Date de publication | 2019-01-07 14:00:00 (vue: 2019-01-07 16:01:09) |
| Titre | Data Exfiltration in AWS: Part 2 of Series |
| Texte | In the previous blog in this four-part blog series, we discussed AWS IAM and how it can be compromised to allow for data exfiltration. In this blog we will drill into data exfiltration. One of the more common issues reported on lately involves EC2 instances running data storage services like Elasticsearch and MongoDB, which by default don't have any credential requirements to interact with the data store. And if you don't get your security groups set up properly you can inadvertently expose, for example, the Elasticsearch port (9200) out to the Internet. If that happens, you can bet that somebody is going to find it and dump its entire data set. Here’s a common scenario we’ve seen in AWS: A web application is capturing user details and analytics. The developers want to capture that data in a metrics-friendly repository (in addition to the database that the application uses) so they spin an EC2 instance, install Elasticsearch and start dropping data in it that is useful for analytics tracking. It’s probably not sensitive data so they’re not too worried about locking it down and for convenience, the backend Elasticsearch port is exposed to the Internet. As the analytics requirements evolve along with the application, more and more data ends up in the completely exposed data store. Then a bad guy does a port scan and finds it sitting there, ripe for the picking. It's become so common that adversaries have gone through the trouble of creating ransomware that fully hijacks the data store and encrypts the data within it. Here are some examples: Data Exfiltration: Risks Marketing Firm Exactis Leaked a Personal Info Database with 340 Million Records - WIRED Sales Engagement Startup Apollo Says its Massive Contacts Database was Stolen in a Data Breach - TechCrunch Veeam Server Lapse Leaks Over 440 million Email Addresses - TechCrunch Ransomware Online databases dropping like flies, with >10k falling to ransomware groups - Ars Technica With a public vulnerability search tool such as Shodan, you can do a search for publicly exposed Elasticsearch databases and it’ll give you a big list. It's not difficult to find systems that have been exposed this way and attackers are finding them pretty quickly. Application Abuse The other way that data exfiltration takes place is through an application vulnerability, but this isn't AWS-specific. There are common application vulnerabilities that some attackers are very adept at discovering. A crafty attacker will bang on a web application long enough to find a vulnerability that they can use to exfiltrate data from the system. This technique is very effective because most web applications need access to some degree of sensitive data in order to be of any use. |
| Envoyé | Oui |
| Condensat | ars techcrunch 340 440 9200 >10k about abuse access actually addition addresses adept adversaries allow along analytics another any apollo application applications are attacker attackers aws aws: backend bad bang because become been before bet big blog breach but can capture capturing common completely compromised contacts convenience crafty creating credential data database databases default degree details developers difficult discovering discussed does don't down drill dropping dump ec2 effective elasticsearch email encrypts ends engagement enough entire evolve exactis example examples: exfiltrate exfiltration exfiltration: expose exposed falling find finding finds firm flies four friendly from fully get give going gone groups groups guy happens has have help here here’s highlight hijacks how iam inadvertently info insights install instance instances interact internet involves isn't issues it's it’ll it’s its lapse lately leaked leaks like list locking long marketing massive metrics million mongodb monitor more most need next not offer one online order other out over part personal picking place port pretty prevent previous probably properly public publicly quickly ransomware records reported repository requirements resources ripe risks running sales says scan scenario search security seen sensitive series server services set shodan sitting some somebody sort specific spin start startup stolen storage store such system systems takes techcrunch technica technique them then they’re thing through too tool tracking trouble try use useful user uses utilities veeam very vulnerabilities vulnerability want way we’ll we’ve web which will wired within worried your |
| Tags | Ransomware Tool Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
.png){kind=link}
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.