Vulnerable services fixed by the cloud biz but open source projects still at risk
Critical flaws across at least six AWS cloud services could have allowed attackers to execute remote code, steal data or even takeover a user's account without their knowledge, according to research presented today at Black Hat.
"At the end of the day, any vulnerability that can reach the creation of admin user and de facto account takeover is risky, and the consequences could be crippling to an organization," Assaf Morag, a lead data analyst at Aqua Nautilus research team toldPlus, while AWS fixed the vulnerabilities across these six — CloudFormation, Glue, EMR, SageMaker, ServiceCatalog and CodeStar — similar issues may still exist across other AWS services and open source projects, many of which use S3...
Meanwhile, the attacker could have already filled it with malicious code, which will then be injected into anything that works with this bucket. Or they could sit back and wait for the victim to drop sensitive files in the bucket and then have full access to that data, among other nefarious deeds.."All you need is to have the account ID of the company, and if you do a short threat collection or threat intelligence session on the company, you can find it.
"The possible combinations are enormous, so we took another approach," former Aqua researcher Michael Katchinskiy said. This involved using GitHub regex and Sourcegraph searches, and scraping open databases, looking for leaked hashes,"and we found a nice amount," he noted. "And then the bucket just sits, waiting for the vulnerable service to write some data to it," lead Aqua security researcher Yakir Kadkoda toldIn this scenario, the victim org tries to create an S3 bucket in the new region and upload a template file to CloudFormation.
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
UK cyber-boss slams China's bug-hoarding lawsPlus: Japanese scientists ID ancient supernova; AWS dismisses China trouble rumor; and more
Read more »
Japan's Fugaku supercomputer released in virtual version that runs in AWSGraviton processors get the job of helping RIKEN achieve HPC world domination
Read more »
Harry Redknapp responds to ex-Tottenham player who felt frozen out over infamous ice bucket celebration...David Bentley admits that the infamous Harry Redknapp ice bucket celebration when Tottenham secure Champions League football ended his Spurs career
Read more »
What could Google monopoly ruling mean for you?The US government says it wants 'structural relief' after a judge found the search giant broke the law.
Read more »
Firm behind Rawtenstall Market hits back at 'greed' and monopoly claimsFears over a possible 'clash of interest' between two Rossendale companies and Rawtenstall market's revamp have been raised
Read more »
Google's online search monopoly is illegal, US judge rulesThe decision is a major blow to Alphabet, Google's parent company, and could reshape how technology giants operate.
Read more »