In BIG-IP Versions 16.1.x before 16.1.3.1 and 15.1.x before 15.1.6.1, and all versions of BIG-IQ 8.x, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP or BIG-IQ on Amazon Web Services (AWS) systems, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Successful exploitation relies on conditions outside of the attacker's control. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-34844

By Deeba Ahmed
According to the latest research findings from VirusTotal, cybercriminals and threat actors are increasingly relying on mimicked versions…
This is a post from HackRead.com Read the original post: VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

According to the latest research findings from **VirusTotal**, cybercriminals and threat actors are increasingly relying on mimicked versions of genuine, common-use apps such as Adobe Reader, Skype, and VLC Player to successfully conduct social engineering attacks.

**Findings Details**

In their study of malware, researchers at Google’s VirusTotal revealed that cybercriminals deploy numerous approaches to abuse the trust users have in many reputable apps.

The most widespread tactic is **mimicking legit apps to deliver malware**. In this technique, the app’s icon is replicated to gain the victim’s trust and convince them to use the mimicked app. The purpose behind this malicious new strategy is to bypass security solutions such as IP or domain-based firewalls on devices and spread malware via trusted domains.

Another commonly used attack tactic is stealing authentic signing certificates from legit software vendors and using them for signing the malware. Reportedly, since 2021, over one million signed samples had been declared suspicious.

Around thirteen percent of the samples checked by Google’s team didn’t have a valid signature when uploaded on VirusTotal for the first time, and over ninety-nine percent of them were DLL or Windows Portable Executable files.

This happens because the process of examining the validity of a signed file can be abused by malware stated VirusTotal security engineer Vicente Diaz. This becomes concerning when attackers start stealing legit certificates and creating an **ideal supply chain attack scenario**.

The third technique is incorporating legit installers as a portable executable resource into malicious samples to execute the installer when malware is run.

1.  **Microsoft Office Most Exploited Software in Malware Attacks**
2.  **US and China Exposed Most Databases Among 380k Found in 2021**
3.  **Fake reviews & third-party apps cause 50% of threats against Android**
4.  **134 million downloads in 85 countries: A look at VPN usage in H1 2020**
5.  **Google, Microsoft and Oracle generated the most vulnerabilities in 2021**
6.  **Google Drive accounted for 50% of malicious Office document downloads**

**Over 2 Million Suspicious Files Downloaded from Top Domains**

According to VirusTotal’s **blog post**, ten percent of the **top 1,000 Alexa domains** had distributed suspicious samples, including the domains commonly used for distributing files, and over 2 million shady files were downloaded from these domains.

Despite the technique’s simplicity, Diaz explains, it can effectively avoid raising red flags for the victim. That’s why many channels are becoming popular as potent malware distribution vectors. This includes the distribution of **cracked software**.

**Most Abused Websites and Apps**

The top three mimicked apps include the following:

*   Adobe Acrobat
*   VLC media player
*   Skype VoIP platform

When they researchers examined the URLs using web icon similarity, WhatsApp, Instagram, Facebook, and iCloud were the four most abused sites.

> “Adobe Acrobat, Skype, and 7zip are very popular and have the highest infection ratio, which probably makes them the top three applications and icons to be aware of from a social engineering perspective.”
> 
> VirusTotal

Furthermore, VirusTotal discovered 1,816 samples since January 2020 masquerading legit software by hiding the malware in installers for popular software like Zoom, Google Chrome, Proton VPN, Brave, and Mozilla Firefox.

Other impersonated apps by icon were TeamViewer, 7-Zip, CCleaner, Steam, Microsoft Edge, Zoom, and WhatsApp. The abused domains included are discordappcom, squarespacecom, amazonawscom, mediafirecom, and qqcom. 

The reason why attackers are using these software and apps is unknown as yet but one reason could be their popularity, Diaz stated.

**More Malware News**

1.  **Malware families using Pay-Per-Install service to expand targets**
2.  **This malware hides behind free VPN, pirated security software keys**
3.  **Fake KPSPico Windows activator tool KPSPico steals crypto wallet data**
4.  **Malware droppers for hire targeting users on fake pirated software sites**
5.  **Researchers Warn of New Variants of ChromeLoader Browser in the Wild**

VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.
Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.
"One of the

Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.

Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.

"One of the simplest social engineering tricks we've seen involves making a malware sample seem a legitimate program," VirusTotal said in a Tuesday report. "The icon of these programs is a critical feature used to convince victims that these programs are legitimate."

It's no surprise that threat actors resort to a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly innocuous executables.

This, in turn, is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defenses. Some of the top abused domains are discordapp\[.\]com, squarespace\[.\]com, amazonaws\[.\]com, mediafire\[.\]com, and qq\[.\]com.

In total, no fewer than 2.5 million suspicious files downloaded from 101 domains belonging to Alexa's top 1,000 websites have been detected.

The misuse of Discord has been well-documented, what with the platform's content delivery network (CDN) becoming a fertile ground for hosting malware alongside Telegram, while also offering a "perfect communications hub for attackers."

Another oft-used technique is the practice of signing malware with valid certificates stolen from other software makers. The malware scanning service said it found more than one million malicious samples since January 2021, out of which 87% had a legitimate signature when they were first uploaded to its database.

VirusTotal said it also uncovered 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.

Such a distribution method can also result in a supply chain when attackers manage to break into a legitimate software's update server or gain unauthorized access to the source code, making it possible to sneak the malware in the form of trojanized binaries.

Alternatively, legitimate installers are being packed in compressed files along with malware-laced files, in one case including the legitimate Proton VPN installer and malware that installs the Jigsaw ransomware.

That's not all. A third method, albeit more sophisticated, entails incorporating the legitimate installer as a portable executable resource into the malicious sample so that the installer is also executed when the malware is run so as to give an illusion that the software is working as intended.

"When thinking about these techniques as a whole, one could conclude that there are both opportunistic factors for the attackers to abuse (like stolen certificates) in the short and mid term, and routinely (most likely) automated procedures where attackers aim to visually replicate applications in different ways," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

VirusTotal Reveals Most Impersonated Software in Malware Attacks

To protect against similar attacks, organizations should focus on bringing cloud entitlements and configurations under control.

The recent conviction of a Seattle tech worker accused of carrying out a cyberattack against Capital One is not the end of the story. The trial showed how one person could perpetrate a massive data breach by exploiting misconfigurations and excessive privileges common in many cloud environments.

In the wake of the attack — and the resulting data breach — Capital One was fined $80 million by the federal government and settled customer lawsuits for $190 million. This should give organizations an incentive to put measures into place to avoid the same mistakes.

The attacker, who was an employee of Amazon Web Services, built a tool that allowed her to scan the AWS platform for misconfigured accounts. She used anonymizing services such as the Tor Network and IPredator VPN to hide her IP address.

The attacker carried out a server-side request forgery (SSRF) attack that enabled her to trick a server into making calls crafted on a misconfigured Web application firewall (WAF). This allowed the Capital One attacker to easily extract and exploit the machine's credentials and gain access to sensitive customer data such as names, addresses, and Social Security numbers.

**Lateral Moves and Least Privilege**

This case illustrates just how vulnerable cloud systems are to entitlements and misconfigurations. The hacker was able not only to exploit a misconfiguration in the WAF to access the system, but also to then obtain privileged credentials, move around to uncover data buckets, and then exfiltrate that data.

An MIT Sloan case study on the breach concluded that "it is very likely that Capital One had insufficient Identity and Access Management (IAM) controls for the environment that was hacked.” The study also noted that the incident could have been prevented by periodic reviews of user configurations to ensure that access controls were using the principle of least privilege correctly.

Least privilege, as the name implies, dictates that users and service identities can access only the resources and applications they need to do their jobs and no more. This lets organizations operate with agility while capping risk to the company and its customers. In the case of Capital One, the IAM role of the compromised WAF machine had access privileges beyond what was necessary for its functions.

This case is a good example of how easy it can be to find vulnerabilities and exploit them to open a backdoor into a company — even one that seems well-protected. Workloads can be compromised in so many ways that it's impossible to make them hacker-proof. Even the best efforts to patch and update software, secure network access, and implement other security best practices can leave gaps that a hacker can exploit.

Once inside, an attacker's ability to move laterally, undetected, defines the "blast radius" or extent of the damage. The best way to mitigate lateral attacks is to control access by rightsizing the permissions granted to human and machine (service) accounts. In the Capital One case, the hacker was able to use an identity with access permissions to sensitive user records the role clearly didn’t need.

The complexity of cloud environments makes applying least privilege policy challenging. Native tools do not provide the required visibility into permissions for proactive risk mitigation. In addition, the much-discussed cybersecurity talent gap means most organizations are understaffed and lack cloud expertise.

As a result, permissions management doesn’t get the attention it deserves. In fact, nearly 60% of CISOs and other security decision makers say lack of visibility, as well as inadequate identity and access management, are major threats to their cloud infrastructure. In a recent survey by IDC, respondents cited access risk and infrastructure security among their top cloud security priorities for the next 18 months.

Rightsizing permissions is doable if an organization's security and development teams can identify excessive entitlements and know how to create a least-privilege policy that will allow workloads to effectively function. This can be accomplished using the right blend of technology, processes, and procedures. Consider the following best practices to bring cloud entitlements and configurations under control:

*   **People:** Give someone in the organization responsibility for implementing a least-privilege architecture.

*   **Process:** Establish a regular cadence for reviewing and remediating entitlement risk in your organization, including access reviews for human users and remediation of unused privileges for services.

*   **Technology:** Deploy technology that can continuously monitor entitlement risk, automatically remediate problems, and identify anomalies at cloud scale.

Organizations can learn valuable lessons from this case and the financial consequences of not minding their cloud Ps and Cs — namely, permissions and configurations.

Capital One Breach Conviction Exposes Scale of Cloud Entitlement Risk

This affects all versions of package s3-kilatstorage.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-S3KILATSTORAGE-1050396
    
*   **published**
    
    20 Jan 2021
    
*   **disclosed**
    
    11 Dec 2020
    
*   **credit**
    
    JHU System Security Lab
    

**How to fix?**

There is no fixed version for s3-kilatstorage.

**Overview**

s3-kilatstorage is a S3 client for NodeJs 8.X or greater. KilatStorageS3 uses a bash command to run s3cmd which has been configured and connected to the kilatstorage service. You can use this package for Amazon S3 service too.

Affected versions of this package are vulnerable to Command Injection.

**PoC**

    var a = require("s3-kilatstorage");
    a.makeBucket("&  touch JHU #");

CVE-2020-28424: Snyk Vulnerability Database | Snyk

Canary tokens — also known as honey tokens — force attackers to second-guess their potential good fortune when they come across user and application secrets.

With nearly half of all breaches involving external attackers enabled by stolen or fake credentials, security firms are pushing a high-fidelity detection mechanism for such intrusions: canary tokens.

Canary tokens, a subset of honey tokens, are manufactured access credentials, API keys, and software secrets that, when used, trigger an alert that someone is attempting to use the fake secret. Because the credentials are not real, they would never be used by legitimate workers, and so any attempt to access a resource using the canary token is a high-confidence sign of a compromise.

Last week, secrets-management firm GitGuardian released a version of the technology, _ggcanary_, as an open source project on GitHub. The project, tailored to Amazon Web Services (AWS) credentials, is designed to give developers a simple-to-use tool to detect attacks on their software development pipeline, says Henri Hubert, lead developer for GitGuardian's Secrets Team.

"You can put them almost everywhere," he says. "The best place to put them is in the CI/CD pipeline or in your artifacts used in that pipeline, such as Docker images. But you can also put them in your private repositories and your local environment. You can put them almost anywhere that is related to your developers' work."

    

Credentials are a popular target of theft. Source: 2022 Data Breach Investigations Report, Verizon

As the use of cloud services and APIs have taken off, attackers have increasingly targeted such infrastructure with stolen credentials and API tokens. The average company uses more than 15,000 APIs, tripling in the past year, while malicious attacks on those APIs have jumped seven-fold, according to research released in April. In addition, nearly 50% of all breaches not otherwise due to user error or misuse make use of credentials, according to Verizon's "2022 Data Breach Investigations Report" (DBIR). 

**Tripwires Slow Down Attacks**

Unsurprisingly, more companies are using canary tokens to create digital minefields for which attackers need to be wary or otherwise get caught. By seeding file servers, development servers, and personal systems with files that contain credentials or links that can act as tripwires, companies make lateral movement within their systems much more hazardous for attackers, says Haroon Meer, founder and CEO of Thinkst, a cybersecurity consultancy that created its own infrastructure for canary devices and tokens, including servers, sensors, and credentials.

Yet, attackers really have no choice: They cannot ignore potential legitimate credentials during an intrusion, he says.

"If they happen to find AWS credentials or the keys to someone's Kubernetes cluster, attackers have to try it — it's really hard for them to not to use those," Meer says. "And if you get notified the moment that they try it, then you shrink the exposure window so dramatically because you are not finding out months later after they have done everything to you."

Thinkst's Meer likes to point to comments from penetration testers and red teams that highlight the utility of canary tokens. Attackers have to always second guess any cache of credentials, API keys, or software secrets that they find, and that slows them down, tweeted Shubham Shah, a bug hunter, penetration tester, and chief technology officer at attack-surface management startup Assetnote.

"The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal," Shah said. "If the aim is to increase the time taken for attackers, canary tokens work well."

GitGuardian's _ggcanary_ focuses on Amazon Web Services because of the popularity of the platform and of the infrastructure-as-code management platform, Terraform. In its best-practices document, Amazon highlights that control of AWS access keys equals control of all AWS resources.

"Anyone who has your access keys has the same level of access to your AWS resources that you do," Amazon stated in its "Best practices for managing AWS access keys" document. "Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well."

**Everyone Likes Canaries**

Companies such as Thinkst, GitGuardian and Microsoft are aiming to make canary tokens much easier to deploy — often in minutes.

Yet defenders are not the only ones to find uses for canaries. Attackers have also started using canary tokens as a way to detect when defenders analyze their malware.

In a recent report of an attack by the Iran-linked group MuddyWater, Cisco's Talos Intelligence group noted the simple usage of canary tokens. The initial malware — a Visual Basic script — sends two requests for the same canary token to validate a compromise. If only a single request is detected, which would likely happen during sandboxed execution or during analysis, then the malware does not run.

"A reasonable timing check on the duration between the token requests and the request to download a payload can indicate automated analysis," stated Cisco's threat intelligence team in an advisory. "Automated sandboxed systems would typically execute the malicious macro generating the token requests."

Credential Canaries Create Minefield for Attackers

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Something peculiar seems to be happening high up in the treetops. Any ideas what it could be? Send us your caption ideas for the above cartoon, and the winner of The Edge's August contest will receive a $25 Amazon gift card. 

We offer four convenient ways for you to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge July 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

The contest closes on Wednesday, August 24, 2022.

**Last Month's Winner**

And .... he does it again! AgCredit IT director Allen Campbell, who won our May "Flower Power" contest, captured the most votes for his caption for last month's contest, "On Guard." A $25 gift card is on the way for his clever caption, below. Thank you to everyone who participated.

    

  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Up a Tree

Identity and access management was front and center at AWS re:inforce this week.

Amazon emphasized identity and access management during its AWS re:Inforce Security conference in Boston this week. Among announcements for GuardDuty Malware Detection and Amazon Detective for Elastic Kubernetes Service (EKS), Amazon Web Services executives highlighted the launch of IAM Roles Anywhere from earlier this month, which enables AWS Identity and Access Management (IAM) to run on resources outside of AWS. With IAM Roles Anywhere, security teams can provide temporary credentials for on-premises resources.

IAM Roles Anywhere enables on-premises servers, container workloads, and applications to use X.509 certificates for the temporary AWS credentials, which can use the same AWS IAM roles and policies. "IAM Roles provides a secure way for your on-premises servers, containers, applications, to obtain temporary AWS credentials," AWS VP of Platforms Kurt Kufeld said.

Creating temporary credentials is an ideal alternative when they are only needed for short-term purposes, Karen Haberkorn, AWS director of product management for identity, said during a technical session.

"This extends IAM Roles so you can use them and workloads running outside of AWS that lets you tap into all the power of AWS services wherever your applications are running," Haberkorn said. "It lets you manage access to AWS services in the exact same way you are doing today for applications that run in AWS, for applications that run on premises, at the edge — really anywhere."

Because IAM Roles Anywhere enables organizations to configure access the same way, it reduces training and provides a more consistent deployment process, Haberkorn added. "And yes, it means a more secure environment," she said. "It's more secure because you no longer having to manage the rotation and the security of any long-term credential that you might have used for on-premises applications in the past."

**New IAM Identity Center**

Amazon also announced that it has renamed its AWS Single Sign-On offering "AWS Identity Center." Principal product manager Ron Cully explained in a blog post this week that the name change is to better reflect its full set of capabilities and to support customers who in recent years have shifted to a multi-account strategy. AWS is also looking to "reinforce its recommended role as the central place to manage access across AWS accounts and applications," Cully wrote.

While AWS hasn't announced any technical changes to AWS Identity Center, Cully said that it has emerged as the "front door into AWS." AWS Identity Center handles all authentication and authorization requests, and now processes half a billion API calls per second.

Curtis Franklin, a senior analyst who covers enterprise security management and security operations at Omdia, noted that AWS underscored IAM throughout the 2-day conference. "AWS gave signs that it considers identity the frontline to security and privacy in the cloud," he said. "I think they are going to continue to bring in partners so that AWS is the single source of truth about who authorized users are and what privileges they can have."

AWS Focuses on Identity Access Management at re:Inforce

The new GuardDuty Malware Protection and Amazon Detective were among 10 products and services unveiled at AWS re:Inforce in Boston this week.

Amazon Web Services (AWS) has added malware protection to its GuardDuty threat detection service for EC2 compute instances and container workloads backed by Elastic Block Storage (EBS) volumes. The new GuardDuty Malware Protection option is designed to detect suspicious files that could be malware and then alert administrators through the AWS Security Hub.

The release of GuardDuty Malware Protection was among 10 new products and services that the cloud provider revealed during its AWS re:Inforce security conference in Boston this week. Amazon hosted thousands of security professionals at the event, which included a broad agenda of technical sessions, training and certification workshops, and panel discussions.

AWS Platform VP Kurt Kufeld outlined the cloud provider's latest security announcements during the event's opening keynote session. Explaining how the new GuardDuty Malware Protection feature works, Kufeld said when it detects suspicious files, it takes a snapshot of the associated EBS volume as the workload is processing.

GuardDuty then sends its findings to the AWS Security Hub via Amazon EventBridge, the same way it handles other threat activities. Amazon Detective, a tool AWS added in 2020 that uses machine learning to investigate events by analyzing log data, detects if any malware is present. 

"Use the integration to gain visibility into your overall security state for your organization, as well as easily search, filter, triage, investigate, or take action on any of the security findings that you do have," Kufeld said.

GuardDuty then analyzes what it finds with compute that runs in the AWS service account, "not your account, so as not to disturb the workload or require any agents or security software to be deployed inside your workload," Kufeld added. "When malware is detected, GuardDuty malware protection automatically sends additional and contextualized malware findings to GuardDuty console."

Curtis Franklin, a senior analyst who covers enterprise security management and security operations at Omdia, said AWS is taking an aggressive step with the addition of GuardDuty Malware Protection. 

"Calling it malware protection is a stretch; it's malware detection, and that's a critical difference," Franklin said. "It is not a fully featured offering, but it does plant a stake in the market for them."

AWS identified nine partners whose threat protection can integrate with its new malware offering: Bitdefender, CloudHesive, CrowdStrike, Fortinet, Palo Alto Networks, Rapid7, Sophos, Sysdig, and Trellix.

**Kubernetes Support for Amazon Detective**

Among other new offerings, AWS has added support for Kubernetes workloads with the addition of Amazon Detective for EKS, which builds on the managed threat analytics service. Amazon Detective ingests a wide variety of events, such as login attempts, API calls, and traffic, from various AWS services, including GuardDuty, AWS CloudTrail, and Amazon VPC. Since launching Amazon Detective two years ago, AWS has added support for identity and access management (IAM) roles, IP address analytics, integration with Splunk, Amazon S3, and AWS Organizations.

Amazon Detective for EKS was created in response to organizations moving to containers, which has resulted in growth of AWS' Elastic Kubernetes Service (EKS).

"Amazon Detective for EKS analyzes, investigates, and identifies the root cause of security findings for suspicious control-plane activity on EKS clusters," Kufeld said. "With a single-click setting and no agent requirements, it is much easier to start analyzing Amazon EKS specific activity. It uses advanced correlation and graph-based analytics to investigate security findings from suspicious container images or container misconfigurations that may allow access to the underlying EC2 nodes."

Amazon Adds Malware Detection to GuardDuty TDR Service

Why was PII belonging to nearly 1 billion people housed in a single, open database? Why didn't anyone notice it was downloaded?

Questions continue to swirl around a June 30 incident where an unknown individual put up for sale on a popular underground forum a staggering 23TB of personally identifiable information (PII), belonging to some 1 billion people in China. 

And, in the meantime, the database is continuing to cause ripples across the Dark Web.

The dataset was reportedly accessed from an unsecured Shanghai police database hosted on Alibaba's cloud hosting platform. It included names, addresses, birthplaces, phone numbers, national IDs, and criminal records associated with Chinese citizens and even foreign nationals who might have visited Shanghai during the past few years. The database is still available for sale for 20 bitcoins, or roughly $240,000 currently.

The leak is believed to have happened because a dashboard for managing the database was apparently left open to the Internet, without a password, for more than one year. Though the incident represents one of the largest ever compromises of PII to date, news of it has reportedly been largely blacked out in China. 

However, that has not stopped members of the country's prolific hacking community from flocking to the underground forum where the data is available, according to researchers at Cybersixgill who have been tracking the aftermath of the massive breach. There also has been a notable increase in data leaks of Chinese entities that have been shared on the forum since June 30, they noted.

"We anticipate that we will be seeing the reverberations of this breach on the underground for quite some time," predicts Naomi Yusupov, Chinese intelligence analyst at Cybersixgill. She expects that threat actors will try and use the leaked data in social engineering campaigns, in attacks to try and access more data, and in a variety of other malicious ways.

Yusupov also expects the breach to encourage other threat actors to share more data from breaches in China, as has already begun happening. Chinese threat actors appear to be viewing the high asking price for the Shanghai data as an indication that Chinese databases overall are highly valuable. This could encourage more Chinese data leaks, she says.

"The massive uptick in Chinese users active on the forum could increase the communication and knowledge transfer between the Chinese and the English underground," she notes.

**More Than Just Another Cloud Misconfig**

There have been countless instances where organizations have similarly exposed sensitive data by leaving it in poorly secured, Internet-accessible cloud storage buckets like Amazon's S3 and ElasticSearch buckets. The most recent incident involved 3TB of sensitive data belonging to airport employees in Columbia and Peru that was exposed via a misconfigured Amazon S3 bucket. 

Vendors such as Upguard have reported detecting thousands of such instances in recent years. UpGuard's most notable discoveries on S3 buckets include some 540 million records from multiple Facebook third-party apps, trade secrets belonging to GoDaddy, and 73GB of data belonging to Pocket Inet employees.

What makes the Shanghai breach notable is its sheer scale. By most accounts, it is one of the largest ever known compromises of PII.

"We see breaches like this quite often," says Ray Kelly, fellow at the Synopsys Software Integrity Group. "\[But\] the staggering volume and breadth of PII that was contained about Chinese citizens and non-citizens alike will certainly raise red flags."

And it's not just the seeming lapse in securing the database alone that's at issue here: "Was it smart to store 1 billion users' PII in one location to begin with?" he asks rhetorically.

John Bambenek, principal threat hunter at Netenrich, says another big question is why nobody noticed 23TB worth of data being downloaded from the cloud database. 

"Aside from backups, I can’t think of any legitimate use case that involves moving an entire dataset like that," he says. 

Often, database administrators set databases to give people read access and rarely have controls to detect when someone might be abusing that access. Even so, "basic network anomaly detection likely could have caught this," Bambenek says.  

**A Rare Peek**

The Shanghai police data compromise is also notable because there have been few instances where a major cybersecurity incident in China has become public knowledge. 

"While China has historically been home to one of the world's largest communities of cybercriminals, domestic Chinese breaches are rarely disclosed because the Chinese government censors media coverage," Cybersixgill's Yusupov says. For instance, major Chinese social media platforms such as Weibo and WeChat both censored news of the Shanghai police database breach.

Even so, there have been other instances where details of breaches within China have trickled to the outside world, Yusupov notes. One example is a 2016 incident in which an anonymous hacker took to Twitter to expose sensitive information related to dozens of Chinese Communist Party officials and Chinese business magnates, such as Alibaba Group founder Jack Ma and real estate tycoon Wang Jianlin of the Dalian Wanda Group.

Other examples include a 2020 incident where a malicious actor stole the data of more than 538 million users and one in May where tens of thousands of apparently hacked files from China's northern Xinjiang region were released, exposing the persecution of the Uyghur ethnic minority there, she says.

Tag

#amazon