Categories: Business
Categories: News
Tags: blob

Tags:  SAS

Tags:  Microsoft

Tags:  Wiz

Tags:  secrets

Microsoft AI researchers posted a long-living, overly permissive, SAS token on GitHub, exposing 38 TB of data.



(Read more...)




The post Microsoft AI researchers accidentally exposed terabytes of sensitive data appeared first on Malwarebytes Labs.

Posted: September 19, 2023 by

Warnings about including credentials, keys, and tokens when sharing code on publicly accessible repositories shouldn’t be necessary. It should speak for itself that you don’t just hand over the keys to your data. But what if a misconfiguration ends in a supposed internal storage account becoming suddenly accessible to everyone?

That's how Microsoft managed to leak access to 38 terabytes of data.

Wiz Research found that Microsoft’s AI research team, while publishing a bucket of open-source training data on GitHub, accidentally exposed 38 terabytes of additional private data — including a disk backup of two employees’ workstations. The backups contained sensitive data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.

An Azure feature called Shared Access Signature (SAS) tokens, which allows users to share data from Azure Storage accounts, was the source of the problem.

SAS token can be used to restrict:

*   What resources a client can access
*   What operations a client can perform (read, write, list, delete)
*   What network a client can access from (HTTPS, IP address)
*   How long a client has access (start time, end time)

Blob storage is a type of cloud storage for unstructured data. A "blob," which is short for Binary Large Object, is a mass of data in binary form. Azure Storage SAS tokens are essentially strings that allow access to Azure Storage services in a secure manner. They are a type of URI (Uniform Resource Identifier) that offer specific access rights to specified Azure Storage resources, like a blob, or a whole range of blobs.

A Microsoft employee shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive SAS token for an internal storage account.

The URL allowed access to more than just the open-source models. It was configured to grant permissions on the entire storage account, thus exposing the additional sensitive data by mistake.

But exposing sensitive data is not even the worst that could have happened, Wiz explains.

> “An attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it.”

After Wiz shared its findings with Microsoft on June 22, 2023 Microsoft revoked the SAS token two days later.

Microsoft stated that:

> “The information that was exposed consisted of information unique to two former Microsoft employees and these former employees’ workstations. No customer data was exposed, and no other Microsoft services were put at risk because of this issue. Customers do not need to take any additional action to remain secure.”

Microsoft also said that as a result of Wiz’s research, it has expanded GitHub’s secret spanning service, which monitors all public open source code changes for plaintext exposure of credentials and other secrets to include any SAS token that may have overly permissive expirations or privileges.

**Best practices for SAS tokens**

Allowing others to learn from their mistakes, Microsoft shared some tips on working with SAS URLs.

*   Apply the principle of least privilege: Scope SAS URLs to the smallest set of resources required by clients (e.g. a single blob), and limit permissions to only those needed by the application (e.g. read-only, write-only).
*   Use short-lived SAS: Always use a near-term expiration time when creating a SAS, and have clients request new SAS URLs when needed. Azure Storage recommends one hour or less for all SAS URLs.
*   Handle SAS tokens carefully: SAS URLs grant access to your data and should be treated as an application secret. Only expose SAS URLs to clients who need access to a storage account.
*   Have a revocation plan: Associate SAS tokens with a stored access policy for fine-grained revocation of a SAS within a container. Be ready to remove the stored access policy or rotate storage account keys if a SAS or shared key is leaked.
*   Monitor and audit your application: Track how requests to your storage account are authorized by enabling Azure Monitor and Azure Storage Logs. Use a SAS Expiration Policy to detect clients using long-lived SAS URLs.

Wiz advises against the external usage of SAS tokens.

> “{SAS\] tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal. In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”

**We don’t just report on cloud security.**

Cybersecurity risks should never spread beyond a headline. Detect sophisticated threats across Box and other vendors’ cloud repositories by using Malwarebytes Cloud Storage Scanning.

**RELATED ARTICLES**

Microsoft AI researchers accidentally exposed terabytes of sensitive data

By Waqas
Another day, another data security incident at Microsoft.
This is a post from HackRead.com Read the original post: Microsoft AI Researchers Expose 38TB of Top Sensitive Data

**KEY FINDINGS**

*   **Microsoft AI researchers accidentally exposed 38 terabytes of private data, including a disk backup of two employees’ workstations, while publishing a bucket of open-source training data on GitHub.**

*   **The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.**

*   **The data was exposed due to a misconfigured Shared Access Signature (SAS) token.**

*   **SAS tokens can be a security risk if not used properly, as they can grant high levels of access to Azure Storage data.**

*   **Organizations should carefully consider their security needs before using SAS tokens.**

As part of their ongoing work on accidental exposure of cloud-hosted data, the Wiz Research Team scanned the internet for misconfigured storage containers. In this process, they found a GitHub repository under the Microsoft organization named robust-models-transfer. The repository belonged to Microsoft’s AI research division, whose purpose is to provide open-source code and AI models for image recognition.

After further digging, it was revealed that Microsoft AI researchers accidentally exposed 38 terabytes of private data, including a disk backup of two employees’ workstations, while publishing a bucket of open-source training data on GitHub. The backup included secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.

However, the URL for the repository allowed access to more than just open-source models. It was configured to grant permissions on the entire storage account, exposing additional private data by mistake.

The Wiz scan showed that this account contained 38 terabytes of additional data, including Microsoft employees’ personal computer backups. The backups contained sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.

In the hands of threat actors, this data could have been devastating for the technology giant, especially considering the current circumstances. Microsoft has **recently revealed** how malicious elements are eager to exploit Microsoft Teams to facilitate ransomware attacks.

The exposed URL, MS Team Chats and more (Credit: WIZ)

According to Wiz’s **blog post**, in addition to the overly permissive access scope, the token was also misconfigured to allow “full control” permissions instead of read-only. This means that not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well.

This is particularly interesting considering the repository’s original purpose: providing AI models for use in training code. The repository instructs users to download a model data file from the SAS link and feed it into a script.

The file’s format was ckpt, a format produced by the TensorFlow library. It’s formatted using Python’s pickle formatter, which is prone to arbitrary code execution by design. This means that an attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it.

In response to the news, **Andrew Whaley**, Senior Technical Director at the Norwegian cybersecurity firm **Promon** said: “Microsoft may be one of the frontrunners in the AI race, but it’s hard to believe this is the case when it comes to cybersecurity. The tech titan has taken great technological strides in recent years; however, this incident serves as a reminder that even the best-intentioned projects can inadvertently expose sensitive information.”

“Shared Access Signatures (SAS) are a significant cybersecurity risk if not managed with the utmost care. Although they’re undeniably a valuable tool for collaboration and sharing data, they can also become a double-edged sword when misconfigured or mishandled. When overly permissive SAS tokens are issued or when they are exposed unintentionally, it’s like willingly handing over the keys to your front door to a burglar,” Andrew warned.

He emphasised that “Microsoft may well have been able to prevent this breach if they implemented stricter access controls, regularly audited and revoked unused tokens, and thoroughly educated their employees on the importance of safeguarding these credentials. Additionally, continuous monitoring and automated tools to detect overly permissive SAS tokens could have also averted this blunder.”

This is not the first instance of Microsoft exposing such sensitive data. **In July 2020**, the Microsoft Bing server inadvertently exposed user search queries and location data, including distressing search terms related to murder and child abuse content.”

Nevertheless, Wiz researchers informed Microsoft about the data leak on June 22, 2023, and the tech giant secured it by August 16, 2023. The researchers published their report earlier today, once they were assured that all security aspects of the exposed servers had been addressed.

**RELATED ARTICLES**

1.  Leaky database exposes fake Amazon product reviews scam
2.  250 million Microsoft customer support records leaked in plain text
3.  Microsoft investigating Windows XP, Server 2003 source code leak
4.  38 million records exposed in Microsoft Power apps misconfiguration
5.  Sensitive source codes exposed in Microsoft Azure Blob account leak

Microsoft AI Researchers Expose 38TB of Top Sensitive Data

Razer Synapse versions before 3.8.0428.042117 (20230601) suffer from multiple vulnerabilities. Due to an unsafe installation path, improper privilege management, and a time-of-check time-of-use race condition, the associated system service "Razer Synapse Service" is vulnerable to DLL hijacking. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows.

Advisory ID:               SYSS-2023-002  
Product:                   Razer Synapse  
Manufacturer:              Razer Inc.  
Affected Version(s):       Versions before 3.8.0428.042117 (20230601)  
Tested Version(s):         3.8.0228.022313 (20230315)  
                            under Windows 10 Pro (10.0.19044)  
                            under Windows 11 Home (10.0.22621)  
Vulnerability Type:        Improper Privilege Management (CWE-269)  
                            Time-of-check Time-of-use Race Condition   
(CWE-367)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2023-03-23  
Solution Date:             2023-04-28  
Public Disclosure:         2023-08-31  
CVE Reference:             CVE-2022-47631  
Author of Advisory:        Dr. Oliver Schwarz, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Razer Synapse is an additional driver software for Razer gaming devices.  
The manufacturer describes the product as a "unified cloud-based  
hardware configuration tool" (see [1]).

Due to an unsafe installation path, improper privilege management, and a  
time-of-check time-of-use race condition, the associated system service  
"Razer Synapse Service" is vulnerable to DLL hijacking.  
As a result, local Windows users can abuse the Razer driver installer to  
obtain administrative privileges on Windows.

In order to exploit the vulnerability, the attacker needs physical  
access to the machine and needs to prepare the attack before Razer  
Synapse is installed along with a Razer driver.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The attack scenario considers a Windows machine without any previous  
installation of any Razer device or software.  
The attacker has a local unprivileged Windows account, physical access  
to the machine, and a device which is either a Razer peripheral or able  
to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero).  
The attacker aims at executing code with full system privileges.

The attack exploits the Razer Synapse Service which runs with elevated  
privileges. While the main binary of the service is stored in the  
protected location "C:\Program Files (x86)\Razer\Synapse3\Service", it  
dynamically loads libraries from  
"C:\ProgramData\Razer\Synapse3\Service\bin".  
Before the installation, standard users can write to this path, since  
"C:\ProgramData" is world-writable on a standard installation of  
Windows.

The Synapse installation procedure changes access privileges, so that  
standard users cannot write to the path any longer.  
However, if the path is created before the driver installation, the  
creator can set own files to be read-only and deny write access for  
the SYSTEM user.

Upon start, the Synapse service checks the location for foreign DLLs,  
removes them, and aborts upon failure to delete them.  
However, due to a time-of-check time-of-use race condition, attackers  
can replace a benign DLL after it has been checked and before it is  
loaded.

Note that the described vulnerability is similar to CVE-2021-44226  
(SYSS-2021-058) and CVE-2022-47632 (SYSS-2022-047), which Razer Inc.  
fixed in March and September of 2022, respectively.  
The new attack differs from the earlier ones in that the attacker  
now has to exploit a race condition.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The attack consists of the following steps:

1. Before the installation of the driver/Synapse, the attacker creates  
    "C:\ProgramData\Razer\Synapse3\Service\bin", copies a custom  
    malicious version of userenv.dll into the directory, sets the DLL to  
    read-only, and denies write access for SYSTEM.

2. Afterwards, the attacker triggers the installation of Synapse.  
    This can be done without any elevated privileges by plugging in a  
    Razer device and following the installation procedure for Synapse  
    if device-specific co-installers are not disabled.  
    Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero  
    can be used and pretend to be a Razer device.

3. With the help of a script, the attacker monitors the installation  
    progress. As soon as legitimate DLL files show up in the directory,  
    the attacker temporarily overwrites the malicious DLL with a  
    legitimate one, waits for the DLL to be assessed (i.e., read), and  
    then quickly copies back the malicious content to the DLL before it  
    is actually loaded and executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Razer has published a patched version that will be deployed automatically  
upon driver installation on current Windows builds.

To prevent similar attacks through other co-installers, system  
administrators can disable them by setting the following key in the  
Windows registry:  
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device   
Installer\DisableCoInstallers = 1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-12-19: Vulnerability discovered  
2023-03-23: Vulnerability reported to manufacturer  
2023-04-28: Patch released by manufacturer  
2023-08-31: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Razer Synapse 3  
     https://www2.razer.com/eu-en/synapse-3  
[2] SySS Security Advisory SYSS-2023-002

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-002.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] SySS Proof of Concept Video  
     https://youtu.be/0myDcqmtt0U  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH.

E-Mail: oliver.schwarz@syss.de  
Public Key:   
https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Schwarz.asc  
Key ID: 0x9716294F1294280D  
Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: https://creativecommons.org/licenses/by/3.0/deed.en

Razer Synapse Race Condition / DLL Hijacking

By Waqas
KEY FINDINGS Organizations should take steps to protect themselves from this campaign by keeping software up to date,…
This is a post from HackRead.com Read the original post: Rust Implant Used in New Malware Campaign Against Azerbaijan

**KEY FINDINGS**

*   **A new malware campaign targeting Azerbaijani targets has been discovered.**

*   **The campaign uses a novel malware implant written in the Rust programming language.**

*   **The implant is difficult to detect by security solutions and reverse engineering.**

*   **The attackers used a decoy image file of the Azerbaijani MOD symbol in the campaign.**

Organizations should take steps to protect themselves from this campaign by keeping software up to date, educating employees about cybersecurity best practices, and using a comprehensive security solution.

A new malware campaign targeting Azeri infrastructure has been discovered by the Deep Instinct Threat Lab. The campaign is notable for its use of a novel malware implant written in the Rust programming language.

The campaign has at least two different initial access vectors. The first is a malicious LNK file with the filename “1.KARABAKH.jpg.lnk.” This file has a double extension to lure the victim into clicking on it, as it appears to be an image file related to the recent military conflict in Nagorno-Karabakh.

The LNK file downloads and executes an MSI installer hosted on Dropbox. This installer then drops an implant written in Rust, an XML file for a scheduled task to execute the implant, and a decoy image file. The image file includes watermarks of the symbol of the Azerbaijani Ministry of Defense (MOD).

Decoy image file and the invoice (Credit: Deep Instinct Threat Lab)

The second initial access vector is a modified version of a document that was previously used by the Storm-0978 group. This document exploits CVE-2017-11882 in Microsoft Equation Editor to download and install a malicious MSI file. This MSI file also drops a variant of the same Rust implant, as well as a decoy PDF invoice.

Once the Rust implant is executed, it goes to sleep for 12 minutes. This is a known method to avoid detection by security researchers and sandboxes. The implant is then expected to gather information and send it to the attacker’s server.

According to Deep Instinct Threat Lab’s blog post, could not attribute these attacks to any known threat actor. However, the fact that both Rust implants had zero detections when first uploaded to VirusTotal shows that writing malware in esoteric languages can bypass many security solutions.

The campaign attack flow (Credit: Deep Instinct Threat Lab)

**Implications of the Campaign**

The use of a Rust implant in this campaign is significant for several reasons. First, Rust is a relatively new programming language, and it is not yet widely used by malware authors. This makes it more difficult for security products to detect Rust malware.

Second, Rust is a compiled language, which means that the malware is converted into machine code before it is executed. This makes it more difficult to reverse engineer the malware.

Azerbaijan and Armenia have been engaged in several conflicts, which have witnessed a significant number of cyber attacks. However, it’s essential not to overlook or dismiss recent tensions between Azerbaijan and Iran as a potential cause of this malware campaign.

**Recommendations for Organizations**

Organizations should take the following steps to protect themselves from this campaign and other similar attacks:

*   Keep software up to date, including operating systems and security solutions.
*   Be careful about clicking on links in emails and messages, even if they appear to be from known senders.
*   Educate employees about cybersecurity best practices, such as phishing awareness and password security.
*   Use a security solution that can detect and block malware written in esoteric languages.

**Conclusion**

This new malware campaign targeting Azerbaijani targets serves as a reminder that attackers are continuously developing new techniques to bypass security solutions. Organizations must take the necessary steps to safeguard themselves from these threats.

While common sense is a valuable defence against such attacks, organizations should also contemplate transitioning their infrastructure from Windows to Linux as an additional security measure.

Rust Implant Used in New Malware Campaign Against Azerbaijan

By Waqas
A DDoS attack can cripple your servers. Here's a list of DDoS mitigation companies in 2023, along with a brief overview of the DDoS attacks they have effectively mitigated.
This is a post from HackRead.com Read the original post: 10 Top DDoS Attack Protection and Mitigation Companies in 2023

DDoS attack (Distributed Denial of Service attack) is a major threat to businesses of all sizes. They can overwhelm a company’s servers and infrastructure, causing downtime, and making it unavailable to legitimate users. A DDoS attack can also cost a company millions of dollars in lost revenue and productivity.

DDoS mitigation companies offer a variety of solutions to help businesses protect themselves from DDoS attacks. These solutions can include network layer protection, transport layer protection, and application layer protection.

Here is a list of the top 10 DDoS mitigation companies in 2023, along with a brief overview of their services and examples of DDoS attacks they have mitigated:

**1\. Cloudflare**

Cloudflare‘s DDoS mitigation and protection services are designed to protect websites and applications from a wide range of DDoS attacks, including network layer attacks, transport layer attacks, and application layer attacks.

Its services are powered by Cloudflare’s global network, which consists of over 275 data centers in over 100 countries. This allows Cloudflare to filter out malicious traffic before it reaches your website or application.

Cloudflare’s DDoS protection services are also highly scalable. Cloudflare can mitigate even the largest DDoS attacks, without impacting the performance of your website or application.

The company’s services are available in a variety of plans, to meet the needs of businesses of all sizes. Cloudflare also offers a free plan, which includes basic DDoS protection.

Cloudflare has mitigated some of the largest DDoS attacks in history, including a 15.3 million rps (request-per-second) DDoS attack earlier in April 2022 and a 1.3 Tbps attack on GitHub in 2018.

****2\.** Radware**

Radware‘s DDoS protection services are designed to protect networks, data centers, and applications from a wide range of DDoS attacks, including network layer attacks, transport layer attacks, and application layer attacks.

Radware’s DDoS mitigation services are based on a combination of hardware and software solutions. Radware’s hardware appliances are deployed on-premises, while its software solutions can be deployed in the cloud or on-premises.

The company offers a number of key features, including:

*   **Comprehensive protection:** Radware’s DDoS protection services protect against a wide range of DDoS attacks, including new and emerging threats.
*   **High performance:** Radware’s DDoS protection services offer high performance, with minimal impact on legitimate traffic.
*   **Scalability:** Radware’s DDoS protection services can be scaled to meet the needs of businesses of all sizes.
*   **Flexibility:** Radware’s DDoS protection services can be deployed in a variety of environments, including on-premises, cloud, and hybrid environments.

Radware has mitigated DDoS attacks on a variety of high-profile customers, including an 809 Mpps (million packets-per-second) attack on a mainstream bank in Europe in 2020, Bank of America in 2013 and the New York Stock Exchange in 2016.

**3\. Akamai**

  
Akamai offers a range of DDoS protection services that can help businesses defend against sophisticated and well-orchestrated DDoS attacks. Their services are built on dedicated infrastructure and designed to protect internet-facing applications and systems while maintaining fast, highly secure, and always-available DNS.

Akamai’s DDoS protection solutions can be customized to the specifications of web apps and Internet-based services. They offer a holistic DDoS defence with products such as Prolexic, Web Application Protector, Kona Site Defender, and Edge DNS. These solutions provide end-to-end DDoS defence for organizations, ensuring the highest quality of DDoS mitigation to keep applications, data centers, and internet-facing infrastructure protected.

Akamai’s Prolexic is a cloud-based DDoS protection solution that defends data centers and hybrid infrastructures to ensure availability and uptime. It provides comprehensive port and protocol protection against a broad range of DDoS attacks, including high-bandwidth sustained attacks and complex multi-vector attacks.

Akamai has mitigated DDoS attacks on various high-profile customers, including a 2022 attack which peaked at 704.8 million packets per second, Netflix and Amazon. Most recently in March 2023, Akamai managed to mitigate a DDoS attack in Asia that reached 900Gbps.

**4\. AWS Shield**

AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. The service was launched in December 2016. It provides dynamic detection and automatic inline mitigations that minimize application downtime and latency. With AWS Shield, you can automatically detect and mitigate sophisticated network-level distributed denial of service (DDoS) events.

You can also customize application protection against DDoS risks through integrations with Shield Response Team (SRT) protocol or AWS WAF. AWS Shield offers two different tiers: AWS Shield Standard and AWS Shield Advanced.

While AWS Shield Standard protects your application at the edge of the AWS network using Amazon CloudFront, AWS Global Accelerator, and Amazon Route, AWS Shield Advanced provides more powerful protection against DDoS attacks. It inspects traffic in real-time and automatically implements mitigation techniques to avoid negative impacts on performance.

AWS Shield has mitigated DDoS attacks on a variety of high-profile customers, including GitHub and Twitch. In June 2020, AWS Shield managed to mitigate a 2.3 TBPS attack, which was the largest ever DDoS attack at that time.

**5\. Azure DDoS Protection**

Azure DDoS Protection is a managed DDoS protection service offered by Microsoft Azure. It is designed to safeguard applications deployed in a virtual network against distributed denial-of-service (DDoS) attacks.

Azure DDoS Protection provides enhanced DDoS mitigation features that are automatically tuned to help protect your specific Azure resources. The service defends against DDoS attacks at layer 3 and layer 4 network layers. For web applications, protection at layer 7 can be added using a Web Application Firewall (WAF) offering.

Azure DDoS Protection offers two tiers: DDoS Network Protection and DDoS IP Protection. DDoS Network Protection provides enhanced DDoS mitigation features for protecting specific Azure resources in a virtual network. It can be enabled on any new or existing virtual network without requiring any application or resource changes.

On the other hand, DDoS IP Protection follows a pay-per-protected IP model and includes additional value-added services such as DDoS rapid response support, cost protection, and discounts on WAF.

Key features of Azure DDoS Protection include always-on traffic monitoring, adaptive real-time tuning, and DDoS protection analytics, metrics, and alerting. The service monitors your application traffic patterns 24/7 and mitigates detected DDoS attacks automatically. Intelligent traffic profiling learns your application’s traffic over time and adjusts the profile accordingly. Azure DDoS Protection also provides analytics, metrics, and alerting capabilities to help you stay informed about potential threats.

Azure DDoS Protection has mitigated DDoS attacks on various high-profile customers, including Microsoft and Sony. According to the company’s “Azure DDoS Protection—2021 Q3 and Q4 DDoS attack trends” report, it also managed to mitigate a 3.47 Tbps attack, and two more attacks above 2.5 Tbps. In October 2021, Microsoft reported on a 2.4 terabit per second (Tbps) DDoS attack in Azure that we successfully mitigated

**6\. Google Cloud Armor**

Google Cloud Armor is a network security service offered by Google Cloud that provides defences against DDoS and application attacks. It offers a rich set of Web Application Firewall (WAF) rules and helps protect workloads behind HTTP/S and TCP/SSL Proxy Load Balancers, Network Load Balancer, using protocol forwarding, or virtual machines (VM) with public IPs. Google Cloud Armor provides enterprise-grade DDoS protection against both Layer 3 and Layer 4 attacks.

It uses a variety of techniques such as rate limiting, scrubbing, and sinkholing to mitigate attacks. In conjunction with the Google Cloud global load balancing infrastructure, Cloud Armor provides always-on DDoS protection from Layer 3 and Layer 4 volumetric and protocol-based attacks.

Google Cloud Armor has mitigated DDoS attacks on a variety of high-profile customers, including Google and Airbnb. In August 2022, the company revealed how it managed to block the largest Layer 7 DDoS attack at 46 million rps aimed at one of its customers.

**7\. Imperva**

Imperva offers a range of DDoS protection services that can help businesses defend against various types of DDoS attacks. Their services are designed to ensure uninterrupted operation and business continuity by securing all your assets at the edge. Imperva’s DDoS protection services provide maximum visibility and optimized performance, allowing you to focus on your core business activities. They offer different protection options for websites, networks, and individual IPs.

Imperva’s DDoS Protection for Websites is an always-on service that immediately mitigates any type or size of DDoS attack targeting web applications. It complements the Imperva cloud web application firewall (WAF), which blocks hacking attempts and attacks by malicious bots.

Imperva’s unique cloud-based DDoS protection services are rapidly deployed with no hardware or software installation or costly, ongoing maintenance. They protect against all types of DDoS attacks, absorbing even multi-gigabyte attacks. Imperva provides a 3-second mitigation SLA against any DDoS attack, ensuring fast response and minimal disruption to service.

Imperva has mitigated DDoS attacks on various high-profile customers, including Visa and MasterCard. According to Imperva’s blog post, the 3 biggest DDoS attacks Imperva mitigated include a Layer 7 Application DDoS Attack measuring over 2.5 million rps in February 2022, a Network DDoS attack with a throughput of 1.02 Tbps in July 2021 and one of the Largest Network DDoS attack of almost 1 Tbps in October 2020.

**8\. F5**

F5 provides a range of DDoS protection services that can help defend your business against application-layer and volumetric attacks. Their services are designed to be flexible and can be deployed in a variety of architectural and operational models, including cloud-based protection, hybrid on-premises defence with on-demand cloud scrubbing, and native application infrastructure form factors. 

F5’s DDoS mitigation solutions are multi-tiered and can defend against multi-vector denial-of-service attacks that target critical infrastructure protocols like DNS and TLS. F5’s DDoS protection services can detect and mitigate large-scale volumetric and targeted application attacks in real time, even defending against attacks that exceed hundreds of gigabits per second. 

F5’s DDoS protection services are backed by the F5 Global Network infrastructure, security tools, and the F5 Security Operations Center (SOC), which is staffed with experts that monitor and protect your business from attack 24/7, 365.

F5 has mitigated DDoS attacks on various high-profile customers, including PayPal and eBay. Although there are hardly any online resources listing the clients F5 has protected from DDoS attacks, in June 2023, MazeBolt named F5 as the preferred remediation vendor for RADAR non-disruptive DDoS testing.

**9\. Nexusguard**

Nexusguard offers a comprehensive DDoS protection platform that defends public-facing websites, applications, APIs, infrastructure, backends, and DNS servers against DDoS attacks of all types and complexities. Their platform is built on the right mix of people, processes, and technology to ensure maximum protection. Nexusguard’s one-stop DDoS protection platform consists of the following components:

1.  **InfraProtect**: Safeguards infrastructure against DDoS attacks.
2.  **Origin Protection (OP)**: Shields networks and systems from threats.
3.  **Application Protection (AP)**: Protects web applications from DDoS attacks.
4.  **Web Application Firewall (WAF)**: Blocks hacking attempts and attacks by malicious bots.
5.  **DNS Protection (DP)**: Ensures 100% availability and efficient resolution of DNS requests for protected domains.

Nexusguard’s DDoS protection services are designed to provide maximum visibility, optimized performance, and uninterrupted operation for businesses. They offer a range of services that can be tailored to meet the specific needs of websites, networks, and individual IPs Nexusguard’s cloud-based DDoS protection services are rapidly deployed without requiring any hardware or software installation or ongoing maintenance. They can absorb even multi-gigabyte attacks and provide a 3-second mitigation SLA to minimize disruption to service.

Nexusguard has mitigated DDoS attacks on a variety of high-profile customers, including the New York Stock Exchange and the Nasdaq. Nexusguard’s whitepaper (PDF) maintained that its services are available around the world, collectively loaded with 1.44Tbps of mitigation capacity.

**10\. Arbor Networks**

Arbor Networks provides a range of DDoS protection services that can help businesses defend against various types of DDoS attacks. Their services are designed to ensure uninterrupted operation and business continuity by securing all your assets at the edge. 

Arbor Networks’ DDoS protection services provide maximum visibility and optimized performance, allowing you to focus on your core business activities. They offer different protection options for websites, networks, and individual IPs.

Arbor Networks’ APS (Arbor Protection System) is an always-on, in-line, intelligently automated DDoS protection solution that provides comprehensive protection from the largest DDoS attacks. It uses hybrid, multi-layer defences to protect against all types of DDoS threats, including cloud-based protection to defend against large, high-volume attacks. 

Arbor Networks’ SP (Security Platform) provides pervasive network visibility and DDoS attack detection. Arbor Networks’ TMS (Threat Management System) provides out-of-path, stateless, surgical mitigation of DDoS attacks as large as 400Gbps.

Arbor Networks has mitigated DDoS attacks on various high-profile customers, including the US Department of Defense and the UK National Security Agency. Arbor is now part of NetScout Systems.

**Bottom Line**

Both big and small businesses should consider implementing a DDoS mitigation service as an integral part of their cybersecurity strategy. While larger enterprises often have dedicated IT resources, smaller businesses are not immune to these threats.

By investing in DDoS mitigation services, businesses of all sizes can proactively defend their digital infrastructure, ensuring uninterrupted online services, safeguarding customer trust, and minimizing potential financial losses in the face of cyberattacks.

Did we miss a company that deserves to be on this list? You can share it in the comment section!

**RELATED ARTICLES**

1.  6 of the Best Crypto Bug Bounty Programs
2.  What is an OSINT Tool – Best OSINT Tools 2023
3.  The 10 Best Cybersecurity Companies in the UK
4.  Cybersecurity for Startups: Best Tips and Strategies
5.  Antivirus Software: The Best Deals, Coupons and Discounts
6.  Best-performing cybersecurity firms and their recent developments

10 Top DDoS Attack Protection and Mitigation Companies in 2023

Summary Summary As part of a recent Coordinated Vulnerability Disclosure (CVD) report from Wiz.io, Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account.

**Summary Summary**

As part of a recent Coordinated Vulnerability Disclosure (CVD) report from Wiz.io, Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account. Security researchers at Wiz were then able to use this token to access information in the storage account. Data exposed in this storage account included backups of two former employees’ workstation profiles and internal Microsoft Teams messages of these two employees with their colleagues. **No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue.** We are sharing the learnings and best practices below to inform our customers and help them avoid similar incidents in the future.

SAS tokens provide a mechanism to restrict access and allow certain clients to connect to specified Azure Storage resources. In this case, a researcher at Microsoft inadvertently included this SAS token in a blob store URL while contributing to open-source AI learning models and provided the URL in a public GitHub repository. There was no security issue or vulnerability within Azure Storage or the SAS token feature. Like other secrets, SAS tokens should be created and managed properly. Additionally, we are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture.

After identifying the exposure, Wiz reported the issue to the Microsoft Security Response Center (MSRC) on June 22nd, 2023. Once notified, MSRC worked with the relevant research and engineering teams to revoke the SAS token and prevent all external access to the storage account, mitigating the issue on June 24th, 2023. Additional investigation then took place to understand any potential impact to our customers and/or business continuity. **Our investigation concluded that there was no risk to customers as a result of this exposure.**

**Improving detections for future cases Improving detections for future cases**

GitHub’s secret scanning service monitors all public open-source code changes for plaintext exposure of credentials and other secrets. This service runs a SAS detection, provided by Microsoft, that flags Azure Storage SAS URLs pointing to sensitive content, such as VHDs and private cryptographic keys. Microsoft has expanded this detection to include any SAS token that may have overly-permissive expirations or privileges.

Microsoft additionally performs complete historical rescans of all public repositories in Microsoft-owned or affiliated organizations and accounts. This system detected the specific SAS URL identified by Wiz in the ‘robust-models-transfer’ repo, but the finding was incorrectly marked as a false positive. The root cause issue for this has been fixed and the system is now confirmed to be detecting and properly reporting on all over-provisioned SAS tokens.

**Understanding SAS tokens, best practices, and preventing abuse Understanding SAS tokens, best practices, and preventing abuse**

Shared Access Signatures (SAS) provides a secure mechanism to delegate access to data within a storage account. Unlike Shared Key, which has full access to an entire storage account, SAS provides granular control for how clients can access your data.  When used correctly, SAS can improve both the security and performance of storage applications.

For example, a SAS token can be used to restrict:

*   What resources a client can access (specific container, directory, blob, or blob version)
*   What operations a client can perform (read, write, list, delete)
*   What network a client can access from (HTTPS, IP address)
*   How long a client has access (start time, end time)

Like any key-based authentication mechanism, a SAS can be revoked at any time by rotating the parent key. In addition, SAS supports fine-grained revocation at the container level, without having to rotate storage account keys.

Just like any secret, SAS tokens need to be created and handled appropriately.

Azure Storage recommends the following Best Practices when working with SAS URLs:

*   **Apply the Principle of Least Privilege**: Scope SAS URLs to the smallest set of resources required by clients (e.g. a single blob), and limit permissions to only those needed by the application (e.g. read-only, write-only).
*   **Use Short-Lived SAS**: Always use a near-term expiration time when creating a SAS, and have clients request new SAS URLs when needed. Azure Storage recommends 1 hour or less for all SAS URLs.
*   **Handle SAS Tokens Carefully**: SAS URLs grant access to your data and should be treated as an application secret. Only expose SAS URLs to clients who need access to a storage account.
*   **Have a Revocation Plan**: Associate SAS tokens with a Stored Access Policy for fine-grained revocation of a SAS within a Container. Be ready to remove the Stored Access Policy or Rotate Storage Account Keys if a SAS or Shared Key is leaked.
*   **Monitor and Audit Your Application**: Track how requests to your storage account are authorized by enabling Azure Monitor and Azure Storage Logs. Use a SAS Expiration Policy to detect clients using long-lived SAS URLs.

Azure Storage is committed to helping customers safeguard their data assets and will continue to make ongoing improvements to encode these best practices in the default settings for storage accounts.

For more information, please see our best practices for using SAS tokens and security recommendations for blob storage.

**Conclusion Conclusion**

To reiterate, the information that was exposed consisted of information unique to two former Microsoft employees and these former employees’ workstations. No customer data was exposed, and no other Microsoft services were put at risk because of this issue. Customers do not need to take any additional action to remain secure.

Like any secret, SAS tokens need to be created and handled appropriately. As always, we highly encourage customers to follow our best practices when using SAS tokens to minimize the risk of unintended access or abuse. Microsoft is also making ongoing improvements to our detections and scanning toolset to proactively identify such cases of over-provisioned SAS URLs and bolster our secure-by-default posture.

We appreciate the opportunity to investigate the findings reported by Wiz.io. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research. Researchers who report security issues to the Microsoft Security Response Center are also eligible to participate in Microsoft’s Bug Bounty Program.

Microsoft follows CVD, which systematically and responsibly manages the discovery, reporting, and remediation of security vulnerabilities. CVD allows us to collaborate with researchers and the wider security community in a way that prioritizes user security and system integrity. By following a coordinated approach, we can work with researchers to ensure that potential vulnerabilities are addressed before they’re made public, reducing the risk of exploitation.

Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token

Categories: Exploits and vulnerabilities
Categories: News
Tags: theme

Tags:  themepack

Tags:  Microsoft

Tags:  cve-2023-38146

Tags:  msstyles

An exploit has been released for a vulnerability in .themes that was patched in the September 2023 Patch Tuesday update.



(Read more...)




The post ThemeBleed exploit is another reason to patch Windows quickly appeared first on Malwarebytes Labs.

Included in the September 2023 Patch Tuesday updates was a fix for a vulnerability which has been dubbed ThemeBleed. A Proof-of-Concept (PoC) exploit has been released by Gabe Kirkpatrick, one of the researchers acknowledged for reporting the vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The ThemeBleed vulnerability was listed as CVE-2023-38146: a Windows Themes Remote Code Execution (RCE) vulnerability.

Microsoft assigned a CVSS score of 8.8 (out of 10) and gave it a severity rating “Important”, saying:

> “An attacker would need to convince a targeted user to load a Windows Themes file on a vulnerable system with access to an attacker-controlled SMB share.”

A _.theme_ file is a configuration (_.ini_) text file that is divided into sections, which specify visual elements that appear on a Windows desktop. Section names are wrapped in brackets (\[\]) inside the _.ini_ file. A ._theme_ file enables you to change the appearance of certain desktop elements.

A related file format, _.themepack_, was introduced with Windows 7 to help users share themes. A ._themepack_ must include your _.theme_ file, as well as the background picture, screen saver, and icons files.

Themes can be selected in the Personalization Control Panel only in Windows 7 Home Premium or higher, or only on Windows Server 2008 R2 when the Desktop component is installed.

The ThemeBleed exploit is based on a race condition that can be triggered by opening a specially crafted _.theme_ file. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended.

The _.theme_ files contain references to _.msstyles_ files, which should contain no code, only graphical resources that are loaded when the theme file invoking them is opened. When the .theme file is opened, the ._msstyles_ file will also be loaded.

The researcher found that invoking a check of the theme version calls the _ReviseVersionIfNecessary_ function and does not safely load a signed DLL (_\_vrf.dll_), because the DLL is closed after verifying the signature, and then re-opened when the DLL is loaded via a call to LoadLibrary. During that interval the file could be replaced by a malicious version.

Another problem lies in the fact that if a user were to download a theme from the web, this triggers the 'mark-of-the-web' (MOTW) warning. MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from who-knows-where. Over time, it even contributed to preventing certain types of files from running. However, this could be bypassed if the attacker wrapped the theme into a _.themepack_ file. When using the _.themepack_ file, the contained .theme opens automatically without serving the MOTW warning.

While Microsoft’s fix has removed the functionality that triggers the theme version check to avoid the race condition, it has not fixed the more fundamental problem in the verification procedure of _.msstyles_ files. Nor has it added MOTW warnings to _.themepack_ files.

The researcher notes that the vulnerability appears to be only present in Windows 11.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

ThemeBleed exploit is another reason to patch Windows quickly

Plus: Spyware-packing ads, TikTok GDPR violations, Elon Musk investigations, and more.

China-linked hackers are increasingly moving beyond espionage and into the disturbing world of power grid attacks. Threat researchers at security software firm Symantec this week released new evidence that the Chinese hacking group known as APT41 infiltrated the power grid of an Asian nation. Some details of the latest intrusion echo a 2021 attack on India’s power grid, suggesting the same hackers are responsible.

In Argentina, a scandal is playing out over the use of facial recognition software in Buenos Aires. Despite laws that require authorities to limit searches to known fugitives, an investigation by a judge found that the system was used to look up people not wanted for any crimes. In other cases, errors led police to arrest or question the wrong people. While Buenos Aires is attempting to get the system back online after legal rulings ordered it turned off, the debacle shows how dangerous facial recognition can be even when laws are in place to limit it.

Facial recognition isn’t the only artificial-intelligence-powered system governments are using in new and upsetting ways. Like everyone else, state and local governments around the United States have begun to play with generative AI tools like ChatGPT. And so far, there’s no consensus on how to use the technology. Some US states, like Maine, have temporarily banned its use altogether, fearing cybersecurity concerns, while others are using it to craft speeches and social media posts.

Meanwhile, the US Senate is in the midst of getting an AI education. Around 60 senators attended a closed-door briefing this week, where they heard from major tech CEOs, including Elon Musk, Mark Zuckerberg, and Sam Altman, as well as civil liberties advocates and AI ethics experts. The Senate has been learning about AI and its myriad issues for much of the year, and another forum on AI innovation is scheduled for later this year. Despite these cramming sessions, some lawmakers question whether they’re any closer to tackling AI responsibly.

Finally, the cyberattack against MGM casinos continues to cause havoc for guests of its resorts nearly a week after the attack began. While an attack on a major casino company is inevitably high-profile, the group behind the breach, known as Alphv, has a long history of targeting schools and hospitals—attacks that are far more consequential.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Unless you updated your browser in the past few days, it likely contains a critical flaw. The recently disclosed vulnerability exists in the WebP code library known as libwebp, which encodes and decodes images in the widely used WebP format. Known generally as a “heap buffer overflow,” the flaw can be exploited using a specially crafted malicious image, allowing an attacker to run malicious code on a targeted device. Google says the bug has already been exploited in the wild.

Initially identified early this week as a zero-day vulnerability in Google’s Chrome browser, the libwebp bug impacts browsers built using Chromium, which means Chrome, Mozilla’s Firefox, Microsoft Edge, Opera, Brave, and more. It also affects apps like Telegram, 1Password, Thunderbird, and Gimp. Patches for the flaw are rolling out now, so keep your eyes peeled for updates.

Malicious online ads—also known as “malvertising”—have been around for years. Now, they’re going pro. Several Israeli companies are developing exploits that take advantage of weaknesses in the technical mechanisms that bombard you with ads online, _Haaretz_ reports, allowing attackers to track people and hack their devices. The exploit takes advantage of the online advertising bidding process, in which bots are competing for specific ad slots on web pages in real time. Taking advantage of the fraction of a second before an ad slot is filled, these companies have figured out how to show you an ad that reportedly contains “advanced spyware.” While there’s no quick fix for stopping the spread of this malware, there is something simple you can do to protect yourself: Use an ad blocker.

European data regulators fined TikTok €345 million ($368 million) this week for breaking laws related to the privacy of underage users. The Irish Data Protection Commission (DPC) said the company violated GDPR by failing to make the accounts of child users private by default. The DPC also says TikTok’s “family pairing” feature, which enables an adult to take control of a child’s account settings, did not ensure that the adult with access to the feature was a parent or guardian. TikTok says it opposes the fine because it had updated its settings to make the accounts of anyone under 16 years old private by default before the investigation began.

Turns out, secretly interfering in the battle plans of a United States ally doesn’t go over well in Washington. The US Senate Armed Services Committee has launched an inquiry into Elon Musk’s decision to not enable Starlink satellite communications in Crimea ahead of a Ukrainian military attack on Russian forces. The move, first revealed in author Walter Isaacson’s new biography on Musk, also prompted several Democratic senators to send a letter to the US defense secretary, Lloyd Austin, asking him to explain what actions the Department of Defense (DOD) has taken, or plans to take, to “prevent further dangerous meddling” by Musk.

“SpaceX is a prime contractor and a critical industry partner for the \[DOD\] and the recipient of billions of dollars in taxpayer funding,” the letter reads. “We are deeply concerned with the ability and willingness of SpaceX to interrupt their service at Mr. Musk’s whim and for the purpose of handcuffing a sovereign country’s self-defense, effectively defending Russian interests.”

Even if you have a spotless record, passing a background check can be one of the most stressful parts of landing a new job or an apartment. We have bad news: It’s possible the information used to assess your eligibility might not be accurate. The US Federal Trade Commission (FTC) this week announced a $5.8 million fine against background check providers TruthFinder and Instant Checkmate for “failing to ensure the maximum possible accuracy of their consumer reports,” a violation of the Fair Credit Reporting Act. The FTC alleges that the companies “made millions” by selling subscriptions that would alert people when a “criminal record” was found in their background check, “when the record was merely a traffic ticket.” The company also displayed “Remove” and “Flag as Inaccurate” buttons that the FTC says “did not work as advertised.”

The regulatory ding against TruthFinder and Instant Checkmate comes several months after the companies confirmed a data breach. In January, hackers leaked the personal information of millions of customers by leaking an April 2019 database backup stolen from the companies.

You Need to Update Google Chrome or Whatever Browser You Use

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-36727

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Tag

#microsoft