Ubuntu Security Notice 7089-3 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7089-3November 07, 2024linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-6.8: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle-6.8: Linux kernel for Oracle Cloud systemsDetails:Chenyuan Yang discovered that the USB Gadget subsystem in the Linuxkernel did not properly check for the device to be enabled beforewriting. A local attacker could possibly use this to cause a denial ofservice. (CVE-2024-25741)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM32 architecture;  - MIPS architecture;  - PA-RISC architecture;  - PowerPC architecture;  - RISC-V architecture;  - S390 architecture;  - x86 architecture;  - Cryptographic API;  - Serial ATA and Parallel ATA drivers;  - Null block device driver;  - Bluetooth drivers;  - Cdrom driver;  - Clock framework and drivers;  - Hardware crypto device drivers;  - CXL (Compute Express Link) drivers;  - Cirrus firmware drivers;  - GPIO subsystem;  - GPU drivers;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - Fastrpc Driver;  - Network drivers;  - Microsoft Azure Network Adapter (MANA) driver;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - NVMEM (Non Volatile Memory) drivers;  - PCI subsystem;  - Pin controllers subsystem;  - x86 platform drivers;  - S/390 drivers;  - SCSI drivers;  - Thermal drivers;  - TTY drivers;  - UFS subsystem;  - USB DSL drivers;  - USB core drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - VFIO drivers;  - VHOST drivers;  - File systems infrastructure;  - BTRFS file system;  - GFS2 file system;  - JFFS2 file system;  - JFS file system;  - Network file systems library;  - Network file system client;  - NILFS2 file system;  - NTFS3 file system;  - SMB network file system;  - Memory management;  - Netfilter;  - Tracing infrastructure;  - io_uring subsystem;  - BPF subsystem;  - Core kernel;  - Bluetooth subsystem;  - CAN network layer;  - Ceph Core library;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - MAC80211 subsystem;  - Network traffic control;  - Sun RPC protocol;  - Wireless networking;  - AMD SoC Alsa drivers;  - SoC Audio for Freescale CPUs drivers;  - MediaTek ASoC drivers;  - SoC audio core drivers;  - SOF drivers;  - Sound sequencer drivers;(CVE-2024-42239, CVE-2024-42079, CVE-2024-41080, CVE-2024-42064,CVE-2024-42127, CVE-2024-41049, CVE-2024-41086, CVE-2024-42142,CVE-2024-42244, CVE-2024-41060, CVE-2024-42131, CVE-2024-42085,CVE-2024-42246, CVE-2024-41062, CVE-2024-42115, CVE-2024-42234,CVE-2024-42080, CVE-2024-41095, CVE-2024-41063, CVE-2024-42227,CVE-2024-41089, CVE-2024-42133, CVE-2024-43858, CVE-2024-42135,CVE-2024-42113, CVE-2024-42120, CVE-2024-42149, CVE-2024-42132,CVE-2024-41038, CVE-2024-41069, CVE-2024-41090, CVE-2024-41059,CVE-2024-41028, CVE-2024-42126, CVE-2024-42121, CVE-2024-42155,CVE-2024-42110, CVE-2024-41021, CVE-2024-41044, CVE-2024-42098,CVE-2024-42235, CVE-2024-41083, CVE-2024-41065, CVE-2024-42094,CVE-2024-42229, CVE-2024-42240, CVE-2024-42225, CVE-2024-42230,CVE-2024-41088, CVE-2024-42073, CVE-2024-42145, CVE-2024-42076,CVE-2024-42087, CVE-2024-42241, CVE-2024-41019, CVE-2024-41052,CVE-2024-42093, CVE-2024-42063, CVE-2024-41039, CVE-2024-42106,CVE-2024-42108, CVE-2024-42237, CVE-2024-41048, CVE-2024-41033,CVE-2023-52888, CVE-2024-41096, CVE-2024-41032, CVE-2024-41091,CVE-2024-42238, CVE-2024-41056, CVE-2024-42091, CVE-2024-42088,CVE-2024-41047, CVE-2024-42271, CVE-2024-41064, CVE-2024-42223,CVE-2024-42129, CVE-2024-42102, CVE-2024-42146, CVE-2024-42138,CVE-2024-41079, CVE-2024-42232, CVE-2024-42112, CVE-2024-39487,CVE-2024-42245, CVE-2024-41093, CVE-2024-41066, CVE-2024-43855,CVE-2024-41055, CVE-2024-42100, CVE-2024-41053, CVE-2024-42069,CVE-2024-42252, CVE-2024-42243, CVE-2024-42124, CVE-2024-41054,CVE-2024-42151, CVE-2024-42118, CVE-2024-42251, CVE-2024-42137,CVE-2024-41071, CVE-2024-41010, CVE-2024-41087, CVE-2024-41050,CVE-2024-42068, CVE-2024-42158, CVE-2024-41075, CVE-2024-42141,CVE-2024-42236, CVE-2024-41068, CVE-2024-42157, CVE-2024-42140,CVE-2024-41058, CVE-2024-41076, CVE-2024-42097, CVE-2024-41029,CVE-2024-41097, CVE-2024-42109, CVE-2024-41051, CVE-2024-41061,CVE-2024-42156, CVE-2024-42101, CVE-2024-41031, CVE-2024-41017,CVE-2024-42247, CVE-2024-42128, CVE-2024-41085, CVE-2024-41072,CVE-2024-42248, CVE-2024-41045, CVE-2024-42104, CVE-2024-42253,CVE-2024-42117, CVE-2024-41078, CVE-2024-42130, CVE-2024-42090,CVE-2024-42280, CVE-2024-42250, CVE-2024-42231, CVE-2024-41042,CVE-2024-42077, CVE-2024-42153, CVE-2024-41015, CVE-2024-41035,CVE-2024-41082, CVE-2024-42114, CVE-2024-41007, CVE-2024-41073,CVE-2024-42161, CVE-2024-42082, CVE-2024-42150, CVE-2024-42111,CVE-2024-42086, CVE-2024-42095, CVE-2024-41025, CVE-2024-41081,CVE-2024-42105, CVE-2024-41027, CVE-2024-42089, CVE-2024-39486,CVE-2024-41084, CVE-2024-42092, CVE-2024-42152, CVE-2024-41022,CVE-2024-41077, CVE-2024-41098, CVE-2024-41023, CVE-2024-42066,CVE-2024-41034, CVE-2024-41037, CVE-2024-41046, CVE-2023-52887,CVE-2024-42147, CVE-2024-42065, CVE-2024-42096, CVE-2024-41018,CVE-2024-42067, CVE-2024-41041, CVE-2024-42103, CVE-2024-42084,CVE-2024-42074, CVE-2024-41094, CVE-2024-42119, CVE-2024-41012,CVE-2024-41020, CVE-2024-41074, CVE-2024-42144, CVE-2024-41067,CVE-2024-42070, CVE-2024-41057, CVE-2024-41036, CVE-2024-42136,CVE-2024-41030, CVE-2024-41070, CVE-2024-41092)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1015-oracle   6.8.0-1015.16  linux-image-6.8.0-1015-oracle-64k  6.8.0-1015.16  linux-image-6.8.0-1018-aws      6.8.0-1018.20  linux-image-aws                 6.8.0-1018.20  linux-image-oracle              6.8.0-1015.16  linux-image-oracle-64k          6.8.0-1015.16Ubuntu 22.04 LTS  linux-image-6.8.0-1015-oracle   6.8.0-1015.15~22.04.1  linux-image-6.8.0-1015-oracle-64k  6.8.0-1015.15~22.04.1  linux-image-6.8.0-1018-aws      6.8.0-1018.19~22.04.1  linux-image-aws                 6.8.0-1018.19~22.04.1  linux-image-oracle              6.8.0-1015.15~22.04.1  linux-image-oracle-64k          6.8.0-1015.15~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7089-3  https://ubuntu.com/security/notices/USN-7089-2  https://ubuntu.com/security/notices/USN-7089-1  CVE-2023-52887, CVE-2023-52888, CVE-2024-25741, CVE-2024-39486,  CVE-2024-39487, CVE-2024-41007, CVE-2024-41010, CVE-2024-41012,  CVE-2024-41015, CVE-2024-41017, CVE-2024-41018, CVE-2024-41019,  CVE-2024-41020, CVE-2024-41021, CVE-2024-41022, CVE-2024-41023,  CVE-2024-41025, CVE-2024-41027, CVE-2024-41028, CVE-2024-41029,  CVE-2024-41030, CVE-2024-41031, CVE-2024-41032, CVE-2024-41033,  CVE-2024-41034, CVE-2024-41035, CVE-2024-41036, CVE-2024-41037,  CVE-2024-41038, CVE-2024-41039, CVE-2024-41041, CVE-2024-41042,  CVE-2024-41044, CVE-2024-41045, CVE-2024-41046, CVE-2024-41047,  CVE-2024-41048, CVE-2024-41049, CVE-2024-41050, CVE-2024-41051,  CVE-2024-41052, CVE-2024-41053, CVE-2024-41054, CVE-2024-41055,  CVE-2024-41056, CVE-2024-41057, CVE-2024-41058, CVE-2024-41059,  CVE-2024-41060, CVE-2024-41061, CVE-2024-41062, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41066, CVE-2024-41067,  CVE-2024-41068, CVE-2024-41069, CVE-2024-41070, CVE-2024-41071,  CVE-2024-41072, CVE-2024-41073, CVE-2024-41074, CVE-2024-41075,  CVE-2024-41076, CVE-2024-41077, CVE-2024-41078, CVE-2024-41079,  CVE-2024-41080, CVE-2024-41081, CVE-2024-41082, CVE-2024-41083,  CVE-2024-41084, CVE-2024-41085, CVE-2024-41086, CVE-2024-41087,  CVE-2024-41088, CVE-2024-41089, CVE-2024-41090, CVE-2024-41091,  CVE-2024-41092, CVE-2024-41093, CVE-2024-41094, CVE-2024-41095,  CVE-2024-41096, CVE-2024-41097, CVE-2024-41098, CVE-2024-42063,  CVE-2024-42064, CVE-2024-42065, CVE-2024-42066, CVE-2024-42067,  CVE-2024-42068, CVE-2024-42069, CVE-2024-42070, CVE-2024-42073,  CVE-2024-42074, CVE-2024-42076, CVE-2024-42077, CVE-2024-42079,  CVE-2024-42080, CVE-2024-42082, CVE-2024-42084, CVE-2024-42085,  CVE-2024-42086, CVE-2024-42087, CVE-2024-42088, CVE-2024-42089,  CVE-2024-42090, CVE-2024-42091, CVE-2024-42092, CVE-2024-42093,  CVE-2024-42094, CVE-2024-42095, CVE-2024-42096, CVE-2024-42097,  CVE-2024-42098, CVE-2024-42100, CVE-2024-42101, CVE-2024-42102,  CVE-2024-42103, CVE-2024-42104, CVE-2024-42105, CVE-2024-42106,  CVE-2024-42108, CVE-2024-42109, CVE-2024-42110, CVE-2024-42111,  CVE-2024-42112, CVE-2024-42113, CVE-2024-42114, CVE-2024-42115,  CVE-2024-42117, CVE-2024-42118, CVE-2024-42119, CVE-2024-42120,  CVE-2024-42121, CVE-2024-42124, CVE-2024-42126, CVE-2024-42127,  CVE-2024-42128, CVE-2024-42129, CVE-2024-42130, CVE-2024-42131,  CVE-2024-42132, CVE-2024-42133, CVE-2024-42135, CVE-2024-42136,  CVE-2024-42137, CVE-2024-42138, CVE-2024-42140, CVE-2024-42141,  CVE-2024-42142, CVE-2024-42144, CVE-2024-42145, CVE-2024-42146,  CVE-2024-42147, CVE-2024-42149, CVE-2024-42150, CVE-2024-42151,  CVE-2024-42152, CVE-2024-42153, CVE-2024-42155, CVE-2024-42156,  CVE-2024-42157, CVE-2024-42158, CVE-2024-42161, CVE-2024-42223,  CVE-2024-42225, CVE-2024-42227, CVE-2024-42229, CVE-2024-42230,  CVE-2024-42231, CVE-2024-42232, CVE-2024-42234, CVE-2024-42235,  CVE-2024-42236, CVE-2024-42237, CVE-2024-42238, CVE-2024-42239,  CVE-2024-42240, CVE-2024-42241, CVE-2024-42243, CVE-2024-42244,  CVE-2024-42245, CVE-2024-42246, CVE-2024-42247, CVE-2024-42248,  CVE-2024-42250, CVE-2024-42251, CVE-2024-42252, CVE-2024-42253,  CVE-2024-42271, CVE-2024-42280, CVE-2024-43855, CVE-2024-43858Package Information:  https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1018.20  https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1015.16  https://launchpad.net/ubuntu/+source/linux-aws-6.8/6.8.0-1018.19~22.04.1  https://launchpad.net/ubuntu/+source/linux-oracle-6.8/6.8.0-1015.15~22.04.1

Ubuntu Security Notice USN-7089-3

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials.
The package in question is "fabrice," which typosquats a popular Python library known as "fabric," which is designed to execute shell commands remotely over

Vulnerability / Cloud Security

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials.

The package in question is "fabrice," which typosquats a popular Python library known as "fabric," which is designed to execute shell commands remotely over SSH.

While the legitimate package has over 202 million downloads, its malicious counterpart has been downloaded more than 37,100 times to date. As of writing, "fabrice" is still available for download from PyPI. It was first published in March 2021.

The typosquatting package is designed to exploit the trust associated with "fabric," incorporating "payloads that steal credentials, create backdoors, and execute platform-specific scripts," security firm Socket said.

"Fabrice" is designed to carry out its malicious actions based on the operating system on which it's installed. On Linux machines, it uses a specific function to download, decode, and execute four different shell scripts from an external server ("89.44.9\[.\]227").

On systems running Windows, two different payloads – a Visual Basic Script ("p.vbs") and a Python script – are extracted and executed, with the former running a hidden Python script ("d.py") stored in the Downloads folder.

"This VBScript functions as a launcher, allowing the Python script to execute commands or initiate further payloads as designed by the attacker," security researchers Dhanesh Dodia, Sambarathi Sai, and Dwijay Chintakunta said.

The other Python script is designed to download a malicious executable from the same remote server, save it as "chrome.exe" in the Downloads folder, set up persistence using scheduled tasks to run the binary every 15 minutes, and finally delete the "d.py" file.

The end goal of the package, regardless of the operating system, appears to be credential theft, gathering AWS access and secret keys using the Boto3 AWS Software Development Kit (SDK) for Python and exfiltrating the information back to the server.

"By collecting AWS keys, the attacker gains access to potentially sensitive cloud resources," the researchers said. "The fabrice package represents a sophisticated typosquatting attack, crafted to impersonate the trusted fabric library and exploit unsuspecting developers by gaining unauthorized access to sensitive credentials on both Linux and Windows systems."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious PyPI Package ‘Fabrice’ Found Stealing AWS Keys from Thousands of Developers

Google Cloud will take a phased approach to make multifactor authentication mandatory for all users.

Source: Genius Studio via Adobe Stock Photo

In a bid to improve account security, Google will enforce mandatory multifactor authentication (MFA) for all Google Cloud users by the end of 2025. Currently, 70% of Google users have MFA enabled.

This requirement will apply to all Google Cloud users who currently use passwords for authentication and all new users; it will not apply to general consumer Google accounts. The company will begin the first phase of a year-long implementation this month.

*   In Phase 1, Google Cloud administrators will receive information on how to prepare for the transition. Phase 1 will raise awareness and provide materials to help plan a rollout and conduct testing.
    
*   Phase 2, to begin in early 2025, will require all new users and existing Google Cloud users who use passwords for authentication to enable MFA on their accounts. The notifications and guidance will be displayed in Google Cloud Console, Firebase Console, gCloud, and other platforms.
    
*   Phase 3, at the end of 2025, will require users who federate authentication into Google Cloud to turn on MFA. Users can enable MFA with their primary identity providers before accessing Google Cloud — or add an extra layer of MFA through the Google account.
    

"Beginning this month, you'll find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users," the company said.

MFA adoption is one of the key recommendations in the Cybersecurity and Infrastructure Security Agency's (CISA) Secure By Design initiative. The shift to mandatory MFA is happening throughout the industry. In June, Amazon started requiring mandatory MFA for Amazon Web Services. Customers signing into the AWS Management Console with the root user of an AWS Organizations management account also had to start using MFA, which has since been extended to stand-alone accounts outside of AWS Organizations.

Mandatory MFA has also be adopted by Snowflake, which in July introduced an option to allow administrators to enforce mandatory MFA for all users. The following monty, Microsoft announced its rollout for Microsoft Azure. Microsoft's plan, similar to Google Cloud's, takes a phased approach. Phase 1 for Microsoft started last month, with MFA required to sign in to Azure portal, Microsoft Entra admin center, and Intune admin center. Phase 2, also beginning early next year, will gradually enforce MFA for Azure CLI (command-line interface), Azure PowerShell, Azure mobile app, and infrastructure-as-code tools.

While CISA has said that MFA means users are 99% less likely to be hacked, it is important to remember that MFA is not foolproof.

"Mandatory MFA is necessary but not sufficient for enterprise security," says Jasson Casey, CEO of Beyond Identity. "This is because MFA is not created equal and doesn't offer the same level of security assurances."

MFA and two-factor authentication has been in use in some shape or form for more than 20 years, and attackers have had time to innovate against it, said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement. Threat actors are increasingly launching phishing operations that can bypass legacy MFA, which is why the National Institute of Standards and Technology and CISA have urged adopting phishing-resistant MFA.

Google Cloud to Enforce MFA on Accounts in 2025

Ubuntu Security Notice 7088-3 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-3November 06, 2024linux-aws-5.4, linux-oracle-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systemsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in theLinux kernel contained an integer overflow vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2021-47212, CVE-2024-44965, CVE-2024-46676, CVE-2024-41091,CVE-2024-44946, CVE-2024-43894, CVE-2024-26668, CVE-2024-42259,CVE-2024-42295, CVE-2024-46685, CVE-2024-46722, CVE-2024-45028,CVE-2024-46815, CVE-2024-41081, CVE-2024-41022, CVE-2024-44948,CVE-2024-42301, CVE-2024-43914, CVE-2024-46771, CVE-2024-42289,CVE-2024-43841, CVE-2024-41042, CVE-2024-44999, CVE-2024-43893,CVE-2024-46758, CVE-2024-46828, CVE-2024-36484, CVE-2024-26669,CVE-2024-44952, CVE-2024-42265, CVE-2024-42311, CVE-2024-43880,CVE-2024-41070, CVE-2024-46829, CVE-2024-42292, CVE-2024-46719,CVE-2024-41020, CVE-2024-41015, CVE-2024-42283, CVE-2024-46744,CVE-2024-46679, CVE-2024-46800, CVE-2024-46777, CVE-2024-43835,CVE-2024-42271, CVE-2024-43882, CVE-2024-41072, CVE-2024-35848,CVE-2024-43860, CVE-2024-38611, CVE-2024-26607, CVE-2024-47663,CVE-2024-46780, CVE-2024-46675, CVE-2024-45003, CVE-2024-44969,CVE-2024-42244, CVE-2024-43856, CVE-2024-46755, CVE-2024-42286,CVE-2024-41063, CVE-2024-41068, CVE-2024-46743, CVE-2024-43839,CVE-2024-41065, CVE-2023-52531, CVE-2024-41090, CVE-2024-46747,CVE-2023-52614, CVE-2024-43853, CVE-2024-46737, CVE-2024-45021,CVE-2024-41012, CVE-2024-41064, CVE-2024-26800, CVE-2024-42246,CVE-2024-43908, CVE-2024-46723, CVE-2024-42310, CVE-2024-46781,CVE-2023-52918, CVE-2024-42313, CVE-2024-45006, CVE-2024-43890,CVE-2024-44954, CVE-2024-43858, CVE-2024-41098, CVE-2024-41071,CVE-2024-26641, CVE-2024-42280, CVE-2024-46673, CVE-2024-43846,CVE-2024-46721, CVE-2024-47667, CVE-2024-26885, CVE-2024-42304,CVE-2024-46745, CVE-2024-26640, CVE-2024-43861, CVE-2024-42287,CVE-2024-44998, CVE-2024-40929, CVE-2024-41073, CVE-2024-46689,CVE-2024-44944, CVE-2024-46756, CVE-2024-42305, CVE-2024-42284,CVE-2024-42281, CVE-2024-42288, CVE-2024-41011, CVE-2024-47668,CVE-2024-43830, CVE-2024-46740, CVE-2024-46677, CVE-2024-43867,CVE-2024-46783, CVE-2024-46844, CVE-2024-43854, CVE-2024-42297,CVE-2024-46738, CVE-2024-46739, CVE-2024-44947, CVE-2024-43883,CVE-2024-43884, CVE-2024-46798, CVE-2024-46757, CVE-2024-43879,CVE-2024-47659, CVE-2024-46817, CVE-2024-45008, CVE-2024-47669,CVE-2024-43871, CVE-2024-44960, CVE-2024-27051, CVE-2024-44988,CVE-2024-46840, CVE-2024-41059, CVE-2024-46822, CVE-2024-42276,CVE-2024-45026, CVE-2024-46761, CVE-2024-44995, CVE-2024-44987,CVE-2024-26891, CVE-2024-46782, CVE-2024-42309, CVE-2024-42131,CVE-2024-46759, CVE-2024-42229, CVE-2024-46714, CVE-2024-42290,CVE-2024-44935, CVE-2024-42285, CVE-2024-38602, CVE-2024-43829,CVE-2024-42306, CVE-2024-41017, CVE-2024-45025, CVE-2024-46818,CVE-2024-46750)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-5.4.0-1134-oracle   5.4.0-1134.143~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-1135-aws      5.4.0-1135.145~18.04.1          Available with Ubuntu Pro  linux-image-aws                 5.4.0.1135.145~18.04.1          Available with Ubuntu Pro  linux-image-oracle              5.4.0.1134.143~18.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-3  https://ubuntu.com/security/notices/USN-7088-2  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669

Ubuntu Security Notice USN-7088-3

Google's cloud division has announced that it will enforce mandatory multi-factor authentication (MFA) for all users by the end of 2025 as part of its efforts to improve account security.
"We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025," Mayank Upadhyay, vice president of engineering and distinguished engineer at

Cloud Security / Phishing Protection

Google's cloud division has announced that it will enforce mandatory multi-factor authentication (MFA) for all users by the end of 2025 as part of its efforts to improve account security.

"We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025," Mayank Upadhyay, vice president of engineering and distinguished engineer at Google Cloud, said in a statement.

"To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments."

The rollout process is scheduled to take place over three stages, starting from this month and until the end of 2025 -

*   **Phase 1** (Starting November 2024), when administrators will be provided information to prepare for the security upgrade
*   **Phase 2** (Early 2025), when Google will begin requiring MFA for all new and existing Google Cloud users who sign in with a password
*   **Phase 3** (End of 2025), when Google will extend MFA protections to federated users

"For example, you can enable MFA with your primary identity provider before accessing Google Cloud — we will be working closely with identity providers to ensure there are standards in place for a smooth hand-off," Upadhyay said.

"Alternatively, you can add an extra layer of MFA through your Google account if you prefer to use our system."

The development comes as phishing and stolen credentials continue to be the primary way through which threat actors gain unauthorized access to computer networks.

The announcement also follows similar moves from its cloud rivals Amazon and Microsoft, which have also begun enacting mandatory MFA for Amazon Web Services (AWS) and Azure, respectively, in recent months.

In July 2024, data warehousing company Snowflake introduced an option that allows administrators to enforce mandatory MFA for all users following a data breach campaign that leveraged stolen credentials from more than 165 of its customers.

The threat actor allegedly behind the data theft and extortion scheme, a 26-year-old Canadian man named Alexander "Connor" Moucka, was arrested late last month at the request of U.S. authorities. Another co-conspirator, John Erin Binns, was arrested in Turkey in late May 2024.

Other members of the UNC5537 cybercriminal gang, which is part of a larger underground network called the Com, remain at large, according to WIRED.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

The suspect, tracked as UNC5537, allegedly bragged about hacking several Snowflake victims on Telegram, drawing attention to himself.

Source: GK Images via Alamy Stock Photo

Canadian authorities arrested Alexander "Connor" Moucka, whom they believe orchestrated a malicious campaign that compromised 165 Snowflake accounts.

Moucka was scheduled to appear in court today, though limited information has been shared regarding his arrest or potential extradition. Online, Moucka reportedly went by the aliases "Judische" and "Waifu."

Snowflake is an American cloud-based data storage company operating on Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Judische bragged about hacking several Snowflake victims on Telegram just before the attacks were confirmed, prompting suspicion.

In May, the storage vendor warned that a limited number of customer accounts were targeted by threat actors, none of which were protected by multifactor authentication.

Google Mandiant later investigated the breach and found that the attackers used previously compromised credentials from information-stealer infections to access these accounts.

The threat actor behind the attacks is tracked as UNC5537, with its campaign beginning in April and targeting organizations such as Ticketmaster, Advanced Auto Parts, Neiman Marcus, State Farm, AT&T, and others.

In the past, the threat actor has demanded ransom payments ranging from $300,000 to $5 million from organizations in exchange for deleting data it steals from their Snowflake accounts.  
Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now! 

**About the Author**

Canadian Authorities Arrest Attacker Who Stole Snowflake Data

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client…

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client data across multiple platforms efficiently. 

****The NAKIVO Backup Solution for MSPs: Data Protection for VMware, Microsoft 365, Proxmox and More** **

The growing demand for reliable data backup among individuals and organizations is simultaneously an opportunity and a challenge for managed service providers (MSPs). On one hand, finding the best MSP backup solution for multiple IT platforms can help expand the client base and increase revenue. On the other hand, the need to protect several environments can complicate management and impact the service quality.

MSPs need a comprehensive set of data protection functions with convenient management capabilities for multiple environments including VMware, Microsoft 365 and Proxmox. The NAKIVO backup solution for MSPs provides up-to-date functionality, extended compatibility, streamlined management, ultimate scalability, and flexible licensing.

****NAKIVO: The Best MSP Backup and Recovery Solution** **

The NAKIVO backup solution for MSP allows you to deliver robust data protection services, including backup-as-a-service (BaaS) and disaster-recovery-as-a-service (DraaS), for client infrastructures of any type, size and complexity. The features developed specifically for managed service providers enable seamless data protection and convenient management. Download the Free Trial and get 15 days to try the solution without feature or capacity limitations.

****MSP Backup and Recovery for VMware Environments****

NAKIVO backup solution for MSP enables you to provide efficient managed online backup services for VMware workloads. You can store backups of VMware VMs and data locally or send them offsite to Amazon S3, Wasabi, Azure Blob, Backblaze B2 or any other S3-compatible storage. NAS and tape destinations are also available.

The most noteworthy features are: 

*   Native integration with VMware’s Changed Block Tracking (CBT) for incremental backups.
*   Flash VM Boot – boot VMware virtual machines to original or custom hosts directly from backups for instant recovery.
*   Replication from backup – perform incremental replication from backups to offload production environments.
*   Real-Time ReplicationBETA – create exact copies of VMs and continuously update them to ensure near-instant RPOs.
*   Automated Failover – configure failover to replicas and launch presets once an incident occurs, achieving near-zero RTOs.
*   Physical-to-virtual recovery (P2V) – restore Windows and Linux machines as VMware vSphere VMs.
*   Cross-platform recovery – recover Hyper-V VMs as VMware workloads and vice versa. 

Use the NAKIVO Backup solution for MSPs to enable reliable backup and swift, flexible recovery of client VMware infrastructures, VMs and data items. 

****Microsoft 365 Data Protection: Backup as a Service for Office 365****

NAKIVO provides SaaS backup functionality to protect Microsoft 365 data. The solution enables: 

*   Backups of Microsoft 365 data, including Exchange Online, OneDrive for Business, SharePoint Online and Microsoft Teams.
*   Onsite Microsoft 365 backup storage for data availability and resilience to cyber threats.
*   Using Microsoft’s native change tracking technology for Exchange Online and Teams to accelerate backup workflows and optimize storage space usage.
*   Fast granular recovery – near-instant recovery of the required items without restoring an entire user account.
*   Retention flexibility – custom retention policies with recovery points rotated daily, weekly, monthly or yearly to store data for as long as you need

NAKIVO Backup solution for MSPs makes data protection in Microsoft 365 straightforward, ensuring SaaS data availability, business continuity and compliance for your clients.

****Proxmox Backup and Recovery: A New Frontier for MSPs****

With the latest update, NAKIVO’s backup as a service solution now supports agent-based backup and recovery for Proxmox VE. The available Proxmox data protection functionality includes the following: 

*   Fast, incremental and app-aware backups of Proxmox VMs.
*   Backup data tiering with multiple destinations including onsite, offsite, public cloud, NAS, deduplication appliances or tape storage.
*   Immutable storage, data encryption, role-based access control and two-factor authentication to protect Proxmox backup data from ransomware and unauthorized access.
*   Full VM recovery or granular recovery of individual files, folders and app objects to original or custom locations.

NAKIVO Backup for MSPs allows you to offer your clients several backups as a service benefit such as affordability and delegated administration combined with the free Proxmox hypervisor. This brings enhanced data availability and infrastructure resilience while maintaining the initial cost-efficiency of systems for clients.

****NAKIVO Backup Solution for MSPs: Versatility Across Environments****

With the NAKIVO solution, you can deliver managed backup as a service for physical, virtual, cloud, SaaS and hybrid environments, including:   

*   NAS
*   File shares
*   Proxmox VE
*   Nutanix AHV
*   Oracle RMAN
*   Microsoft Hyper-V
*   AWS EC2 instances
*   VMware vSphere and Cloud Director
*   Windows and Linux physical servers and workstations 

The wide range of supported environments allows you to easily and quickly cater to the unique needs of every client. With a single MSP backup solution to serve all clients, you can minimize management overhead, increase productivity and scale your business with ease. 

****Ransomware Protection and Advanced Security for MSPs****

Reliable solutions that offer backup and disaster recovery as a service should prioritize threat protection over prevention, enabling clients to restore data even in worst-case scenarios. The NAKIVO solution provides:

*   Immutable storage – enables immutability for local and cloud repositories to protect backup data from change or deletion by ransomware.
*   Malware scan – check your backups before recovery to ensure they don’t contain malware.
*   AES-256 encryption – enables encryption for backup data both during transfer and retention to prevent third-party access. 
*   Role-based access control (RBAC) – limit backup and recovery operations to specific users and ensure authorized access to data protection activities.
*   Direct Connect – connect to clients’ remote resources via a secure port channel without the need to establish and maintain a VPN.

With the NAKIVO backup solution for MSPs, you can ensure client data availability and recoverability when other cybersecurity measures fail. 

****Ease of Management and Automation for MSPs****

Streamlining management and workflow automation are key to efficient MSP backup and recovery. The solution from NAKIVO includes:

*   Multi-tenant mode – create isolated environments for up to 100 clients (tenants) with a single solution deployment.
*   Tenant resource allocation – flexibly allocate VMs, hosts, clusters, backup repositories and other resources in your infrastructure to tenants.
*   MSP Console – uses a unified and intuitive web interface to manage remote client environments from a single panel.
*   Self-service portal – allows clients to manage their own data protection activities.
*   Automation and scheduling – schedule custom backup and recovery workflows from the centralized panel to avoid overlaps and resource bottlenecks.
*   Policy-based data protection – set up policy rules to automatically back up or replicate machines that match the criteria you define.
*   Backup verification – receive verification reports or OS screenshots to verify that backups are recoverable. 
*   Site Recovery – create presets to automate and orchestrate complex disaster recovery sequences and restore entire environments in just a few clicks.
*   Non-disruptive DR testing – run disaster recovery tests by schedule or on demand without disrupting production networks.

Use the advanced management, automation and scheduling capabilities of the NAKIVO solution to adjust to every client’s needs. Ensure data security in the most dynamic and ramified environments.

****MSP Backup Pricing and Cost Efficiency****

NAKIVO offers convenient licensing for managed service providers. This means:

*   5 editions with different feature sets – pick the edition that suits your offering.
*   Perpetual or subscription-based license – choose the one that maximizes your profits.
*   Per-workload pricing – ensure there are no upfront fees or extra costs for unused capacity.
*   Monthly and annual subscription – pay monthly for added flexibility or annually for sizable discounts and additional savings.
*   24/7 vendor support – get in touch with NAKIVO experts whenever you need to guarantee service quality and meet SLAs. 
*   MSP Partner Program – receive certification, training and free marketing support from NAKIVO. 

You can leverage these benefits to increase your business efficiency and win more clients. Provide quality services at affordable costs to boost your revenue.

****Conclusion****

The NAKIVO solution enables efficient MSP backup and recovery for VMware, Microsoft 365, Proxmox VE and other platforms. Install the Free Trial to test the solution’s data protection management, recovery and cybersecurity capabilities in your environment. With NAKIVO, you can provide the best MSP backup solution, meet client needs, cut costs by up to 50%, increase productivity and grow your profit.  

1.  **How To Create a Complete GitHub Backup**
2.  **Recover Lost Data with Mac Data Recovery Software**
3.  **How to Recover Illustrator Files on Windows and Mac**
4.  **Microsoft Planner Backup – Restore: Guide to Data Protection**
5.  **Insights on Google Cloud Backup & Disaster Recovery Service**

NAKIVO Backup for MSP: Best Backup Solution for MSPs

The large-scale operation took advantage of open repositories, hardcoded credentials in source code, and other cloud oversights.

Source: Tithi Luadthong via Alamy Stock Photo

Earlier this week, researchers uncovered a major cybercriminal operation, dubbed EmeraldWhale, after the attackers dumped more than 15,000 credentials into a stolen, open AWS S3 bucket in a massive Git repository theft campaign. The incident is a reminder to tighten up cloud configurations and review source code for mistakes like the inclusion of hardcoded credentials.

Over the course of the onslaught, EmeraldWhale targeted Git configurations in order to steal credentials, cloned more than 10,000 private repositories, and extracted cloud credentials from source code. 

The campaign used a variety of private tools to abuse misconfigured Web and cloud services, according to the Sysdig Threat Research Team, which discovered the global operation. Phishing is the primary tool the campaign used to steal the credentials, which can be worth hundreds of dollars per account on the Dark Web. The operation also makes money by selling its target lists on underground marketplaces for others to engage in the same activity.

**EmeraldWhale's First Breach**

The researchers were initially monitoring Sysdig TRT cloud honeypot when it observed a ListBuckets call using a compromised account — an S3 bucket dubbed s3simplisitter.

The bucket belonged to an unknown account and was publicly exposed. After launching an investigation, the researchers found evidence of a multifaceted attack, including Web scraping of Git files in open repositories. A massive scanning campaign occurred between August and September, according to the researchers, affecting servers with exposed Git repository configuration files, which can contain hardcoded credentials.

"As security professionals, we cannot afford to be complacent, particularly when it comes to keeping sensitive secrets, API tokens, and authentication credentials out of our source code," Naomi Buckwalter, director of product security at Contrast Security, wrote in an emailed statement to Dark Reading. "Not only should infosec professionals be on the front lines educating their development teams on how to securely store, manage, and access secrets, they should also regularly scan their source code for hard coded credentials and monitor credential usage for anomalous activity."

**Always Have Your Guard Up**

In general, Git directories contain "all information required for version control, including the complete commit history, configuration files, branches, and references."

"If the .git directory is exposed, attackers can retrieve valuable data about the repository's history, structure, and sensitive project information," added the researchers. "This includes commit messages, usernames, email addresses, and passwords or API keys if the repository requires them or if they were committed."

The incident is clear reminder that it's critical for businesses and organizations to have visibility on all services and get a clear view on potential attack surfaces in order to consistently manage them and mitigate threats.

"Many breaches occur because internal services are inadvertently exposed to the public Internet, making them easy targets for malicious actors," Victor Acin, head of threat intel at Outpost24, wrote in an emailed statement to Dark Reading.

Acin recommended that enterprises implement a "proper external attack surface management (EASM) platform" to keep track of potential misconfigurations and shadow IT.

And even when private repositories are supposedly secure, it's worth adding additional protections and ensuring that information is locked down.

EmeraldWhale's Massive Git Breach Highlights Config Gaps

The sophisticated Chinese cyberattacks of today rest on important groundwork laid during the pandemic and before.

Source: Cinematic via Alamy Stock Photo

Chinese threat actors are operating at a higher level today than ever before, thanks to years of trial-and-error-style attacks against mass numbers of edge devices.

Networking devices are a known favorite of China's advanced persistent threats (APT), and why wouldn't they be? Sitting on the outer banks of an enterprise network, they not only allow threat actors a way in, they also double as useful nodes for botnets. They offer opportunities for lateral movement, they often store sensitive data, and network defenders have a harder time seeing into and securing them than they do other kinds of network computers. 

Over time, Chinese APTs have been improving on their edge attack capabilities. Since 2018, Sophos has traced a distinct evolution in tactics: from naive, low-level attacks came more sophisticated campaigns against massive numbers of devices, followed by a period of more targeted attacks against specific organizations.

**The First Salvo in a Long Cyber War**

On Dec. 4, 2018, Sophos analysts discovered a suspicious device running network scans against Cyberoam, a Sophos subsidiary based in India. In some ways the attack was run of the mill, using commodity malware and common living-off-the-land (LotL) tactics.

Other evidence, though, suggested that this was something different. For example, the attacker utilized a novel technique to pivot from on-premises devices to the cloud, via an overly permissive identity and access management (IAM) configuration to the Amazon Web Services Systems Manager (AWS SM).

Related:Dark Reading News Desk Live From Black Hat USA 2024

"AWS SM was quite a new technology, and it was quite a subtle misconfiguration," Sophos chief information security officer (CISO) Ross McKerchar recalls. "That was one of the first indicators that we were up against an interesting adversary." 

Later, the attackers deployed a novel rootkit called Cloud Snooper. Cloud Snooper was so stealthy that two third-party consultancies missed it in their analysis, before Sophos eventually picked up on its presence.

The goal of the attack, it seemed, was to collect information useful for future attacks against edge devices. It was a harbinger of what was to come.

**A Five-Year Evolution in Chinese TTPs**

Chinese cyber threats blossomed from roughly 2020 to 2022, as attackers focused on identifying and breaching edge devices en masse.

It worked thanks to the large quantity of devices in the wild that have Internet-facing portals. Typically, these interfaces are designed for internal use. With COVID-19, though, more and more companies were allowing employees to connect from the open Web. This provided a window for hackers with the right kind of credentials or vulnerabilities to get in.

Related:The Overlooked Importance of Identifying Riskiest Users

It helped, too, that around that same time — July 2021 — China's Cyberspace Administration passed the Regulations on the Management of Network Product Security Vulnerability Information rules. These mandates forced cybersecurity researchers to report vulnerabilities to the country's Ministry of Industry and Information Technology (MIIT) before disclosing to any other parties. "It was designed to co-opt the whole country — private citizens included — into being assets for PRC objectives," McKerchar says. Sophos argues with medium confidence that two notable campaigns during this period were facilitated by vulnerabilities responsibly disclosed by researchers at universities in the Chinese city of Chengdu.

Chinese APTs weren't only interested in using compromised devices to attack the companies from whence they came. With varying degrees of success, they would often try to incorporate the devices into broader operational relay box networks (ORBs). These ORBs, in turn, offered higher-level threat actors more sophisticated infrastructure from which to launch more advanced attacks and hide any trace of their origin.

Related:FBI, Partners Disrupt RedLine, Meta Stealer Operations

**What's Happening Now**

After this noisy period, around the middle of 2022, Chinese APTs shifted yet again. Ever since, they've been focused on much more deliberate and targeted attacks against organizations of high value: government agencies, military contractors, research and development firms, critical infrastructure providers, and the like.

These attacks follow no single pattern, involving known and zero-day vulnerabilities, userl and and UEFI bootkits, and whatever other elements pair with active, hands-on-keyboard-type attacks. They almost certainly wouldn't be as sophisticated as they are, though, without all of the years of trial and error that occurred before. Evidence to that is just how effective these threat actors are at overcoming cybersecurity defenses. In recent years, they've demonstrated an ability to sabotage hotfixes for vulnerable devices, and block evidence of their activity from reaching Sophos analysts.

"There's a clear arc of moving to stealthier and stealthier persistence in the activity that we've uncovered," McKerchar says.

He explains how "the first malware, whilst it was bespoke for our devices, it wasn't really trying to hide. They were just banking on nobody looking. In the second wave of attacks they learned a bunch of lessons, remarkably quickly. The malware wasn't explicitly trying to hide, it was just smaller, and naturally able to blend in a bit more. Then after that, they started kind of pulling out more interesting tactics: Trojan class files, memory-resident malware, rootkits, bootkits."

He concludes, "It'd be hard to speculate on what's next, except \[that\] they're going to be improving again."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APTs Cash In on Years of Edge Device Attacks

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets…

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets for storage, increasing the risks of phishing and cloud account breaches.

The Sysdig Threat Research Team discovered a global operation called EMERALDWHALE, which targeted Git configurations, resulting in over 15,000 cloud service credentials being stolen. The primary goal of stealing credentials was phishing and spam, with the credentials potentially worth hundreds of dollars per account.

****The Attack Chain****

The campaign used private tools to abuse misconfigured web services, allowing attackers to steal credentials, clone repositories, and extract cloud credentials from their source code. Over 10,000 private repositories were collected, and the stolen data was stored in a previous victim’s S3 bucket.

The Sysdig Threat Research Team reported that attackers used tools such as httpx and Masscan to scan large portions of the internet for servers with exposed Git configuration files (/.git/config) and Laravel environment files (.env). Upon finding exposed files, attackers leveraged tools like MZR V2 and Seyzo-v2 to extract sensitive information, including usernames, passwords, and API keys, using regular expressions to locate relevant data within the files.

The stolen credentials enabled attackers to clone private repositories, exposing additional sensitive data, such as source code. Verified credentials were then tested across various cloud services to find valid ones, which were afterwards used for malicious activities, including phishing, spam campaigns, or further compromises of cloud accounts. Ultimately, the attackers uploaded stolen data to compromised S3 buckets.

****EMERALDWHALE’s Tools of Choice****

The investigation identified two main tools used by EMERALDWHALE: MZR V2 (MIZARU) and Seyzo-v2. MZR V2, a suite of Python and shell scripts, supports target discovery, credential extraction, repository cloning, and credential validation. Similarly, Seyzo-v2 automates credential theft from exposed Git configurations through scripts, enabling attackers to locate and extract sensitive data efficiently.

In addition to Git configurations, EMERALDWHALE also targeted exposed Laravel environment files (.env). These files often contain sensitive information like database credentials and cloud service API keys. Multigrabber v8.5 is a popular tool used to exploit vulnerabilities in Laravel and steal this sensitive data.

Operation EMERALDWHALE is one of the examples of how the stolen credentials market has become a lucrative business for cybercriminals. For example, target lists of exposed Git configurations were found to be sold for around $100. Valid cloud service credentials can also be sold in bulk or through automated shops, fetching a huge profit for attackers.

Tools being sold on Telegram (Via Sysdig Threat Research Team)

The finding shows the importance of proper configuration management in securing sensitive information. Ensuring Git configuration files are not publicly accessible, limiting access to necessary variables, and conducting regular vulnerability scans are crucial to staying protected.

“This attack shows that secret management alone is not enough to secure an environment. There are just too many places credentials could leak from. Monitoring the behaviour of any identities associated with credentials is becoming a requirement to protect against these threats,” the report read.

Rom Carmel, Co-Founder and CEO at Apono, weighed in on the recent development stating “This is yet another example of how credentials remain a top target for hackers who follow the adage, ‘teach a man to phish, and he’ll have access for a lifetime.’_“_

“With the right credentials, attackers can access all resources an identity is privileged to, creating an endless list of potential targets. Given the rise in leaked credentials and the availability of phishing kits bypassing MFA, organizations must adopt an ‘assumed breach’ posture.”

1.  Best Practices for Cloud Computing Security
2.  Abandoned S3 Buckets Used for Malicious Payloads
3.  350 million credentials exposed on misconfigured AWS S3 bucket
4.  iOS and Android Users at Risk as Popular Apps Expose Cloud Keys
5.  AI Firm’s Misconfigured Server Leaked 5.3TB of Mental Health Records

Tag

#aws