company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Ransomware

ESXi

Oktapus

loading..
loading..
loading..

MGM Hit by Ransomware Attack, ESXi Servers Encrypted

BlackCat Ransomware Hits MGM Resorts - Cybersecurity Alert: Learn about the MGM breach by BlackCat ransomware group

15-Sep-2023
4 min read

Related Articles

loading..

RCE

Solarwinds

SolarWinds patches critical RCE and authentication bypass vulnerabilities in Acc...

SolarWinds, a prominent IT management software vendor, recently issued patches for eight critical vulnerabilities in its Access Rights Manager (ARM) product. Six of these flaws are particularly severe, enabling remote code execution (RCE) that could compromise entire IT infrastructures. ### Analyzing the RCE Vulnerabilities The RCE vulnerabilities (CVE-2024-23469, CVE-2024-23466, CVE-2024-23467, CVE-2024-28074, CVE-2024-23471, CVE-2024-23470) share a common thread: they allow unprivileged attackers to execute arbitrary code on vulnerable ARM installations. The impact ranges from command execution to gaining SYSTEM-level privileges, depending on the specific flaw. #### Exposed Dangerous Method (CVE-2024-23469) This vulnerability stems from exposing a dangerous method in the ARM codebase. ```csharp // Hypothetical Vu.lnerable Code public void ExecuteCommand(string command) { Process.Start(comman.d); // Unsanitized command execution } ``` An attacker could exploit this by crafting a malicious command, leading to unauthorized actions on the system. ### Beyond RCE: Directory Traversal and Authentication Bypass SolarWinds also patched three critical directory traversal vulnerabilities (CVE-2024-23475, CVE-2024-23472) and a high-severity authentication bypass (CVE-2024-23465). Directory traversal attacks manipulate file paths to access restricted directories. For example: ```GET /../../../../etc/passw.d HTTP/1.1``` This could expose sensitive files or enable file deletion, depending on the vulnerability. The authentication bypass allows unauthenticated actors to gain domain admin access in Active Directory, potentially compromising the entire domain. ### Patching Urgency and Historical Context SolarWinds urges immediate patching to version 2024.3. The urgency is underscored by the company's history. In 2020, Russian hackers infiltrated SolarWinds' supply chain, compromising thousands of organizations. While unrelated to the current vulnerabilities, this incident serves as a stark reminder of the potential devastation of software vulnerabilities. ### Key Takeaways for Security Professionals 1. **Patch Immediately:** Update ARM to 2024.3 without delay. 2. **Review and Harden Permissions:** Scrutinize ARM permissions and restrict them to the minimum necessary. 3. **Monitor Network Traffic:** Implement network monitoring to detect suspicious activity related to ARM. 4. **Incident Response Plan:** Ensure a robust incident response plan is in place to address potential breaches.

loading..   20-Jul-2024
loading..   2 min read
loading..

Misconfiguration

Azure

A critical misconfiguration within Microsoft's Azure cloud platform triggered a ...

A major outage crippled Microsoft 365 services on Thursday evening, leaving millions of users worldwide unable to access essential tools for work, communication, and entertainment. The disruption, which began around 6:00 PM EST, impacted a wide range of Microsoft's cloud-based offerings, including: * **Microsoft Teams:** The popular collaboration platform went silent, hindering communication and teamwork for countless businesses and organizations. * **OneDrive:** Users were locked out of their cloud storage, losing access to critical files and documents. * **SharePoint Online:** This collaborative intranet platform became inaccessible, disrupting workflows and information sharing. * **Xbox Live:** Even Microsoft's gaming network was affected, leaving gamers unable to connect and play online. ### Azure Misconfiguration at the Root of the Chaos Microsoft quickly identified the root cause of the outage as a configuration change deployed by Azure backend workloads. This change inadvertently blocked communication between specific Azure Storage clusters and compute resources in the Central US region. The resulting disruption caused a cascading effect, forcing compute resources to restart and severing connections to vital virtual disks. _"We're working on rerouting the impacted traffic to alternate systems to alleviate the impact more expediently,"_ Microsoft stated in an initial acknowledgment of the outage. Two hours later, they provided an update, noting a _"positive trend in service availability"_ while redirection efforts continued. ### Microsoft's Response and Recovery Efforts In an official statement, Microsoft acknowledged the outage and assured users that they were working to restore services as quickly as possible. Engineers rerouted traffic to alternate systems and implemented mitigation measures to gradually bring services back online. By early Friday morning, most affected services had been restored, though some users continued to report issues with Microsoft Teams and the admin center. Microsoft confirmed the effectiveness of their recovery efforts and emphasized their commitment to fully resolving the situation. ### Recurring Outages Raise Concerns About Microsoft's Cloud Reliability This incident marks the latest in a series of major outages to plague Microsoft 365 in recent years. Similar disruptions occurred in January 2023 due to a Wide Area Network IP change and in July 2022 due to a faulty Enterprise Configuration Service (ECS) deployment. These recurring problems raise questions about the reliability and resilience of Microsoft's Azure cloud infrastructure. Businesses and individuals who rely heavily on Microsoft 365 services are increasingly concerned about the potential for future disruptions and the impact on their productivity and operations. ### Key Points * **Date:** July 18th, 2024 * **Cause:** Azure configuration error * **Impacted Services:** Microsoft Teams, OneDrive, SharePoint Online, Xbox Live, and others * **Recovery Efforts:** Rerouting traffic, mitigation measures * **Concerns:** Recurring outages raise questions about Microsoft's cloud reliability * **Azure Configuration Error:** The outage stemmed from a misconfiguration within Microsoft's Azure cloud infrastructure. * **Widespread Impact:** Millions of users were affected, with services like Microsoft Teams, OneDrive, SharePoint Online, and Xbox Live experiencing disruptions. * **Recovery Efforts:** Microsoft rerouted traffic and implemented mitigation measures to restore services gradually. * **Recurring Issues:** This incident follows previous outages caused by network changes and faulty deployments, highlighting concerns about Microsoft's cloud infrastructure reliability.

loading..   19-Jul-2024
loading..   3 min read
loading..

API

Trello

Trello API breach exposes 15M+ emails. Explore how 'emo' exploited vulnerabiliti...

In January 2024, a significant data breach involving Trello, an online project management tool owned by Atlassian, was discovered. A threat actor named 'emo' exploited an unsecured REST API, collecting over 15 million email addresses linked to Trello accounts. This data breach highlighted critical vulnerabilities in API security and raised concerns about the misuse of leaked data. This [Threatfeed](https://www.secureblink.com/cyber-security-news) analysis rigorously dissects the breach, underlying technical nuances, and implications. ## Incident Overview ### Discovery and Initial Reports BleepingComputer first reported the breach, revealing that 'emo' was selling profiles of 15,115,516 Trello members on a popular hacking forum. These profiles contained both public information and non-public email addresses. The data was collected using an unsecured REST API, which allowed queries based on Trello ID, username, or email address. ### Methodology of the Threat Actor 'emo' created a list of 500 million email addresses and fed them into the API to determine if they were linked to Trello accounts. The API returned account information, which was then combined to create member profiles. In July, 'emo' shared the entire list on the Breached hacking forum for a minimal fee, making the data accessible to a broader audience. ## Technical Analysis of the Breach ### API Vulnerability The Trello REST API allowed unauthenticated queries, enabling the collection of public profile information. 'emo' exploited this by querying the API with email addresses to link them to Trello accounts. This process was facilitated by the lack of authentication and rate limiting. ### API Exploitation Techniques 'emo' used a list of 500 million email addresses and fed them into the API to identify linked Trello accounts. By rotating connections using proxy servers, 'emo' bypassed rate limiting measures. This allowed continuous querying of the API, creating profiles for over 15 million users. ### Example Code Snippet To illustrate the exploitation technique, consider the following Python script used to query the Trello API: ```python import requests email_list = ["example1@example.com", "example2@example.com", "example3@example.com"] api_url = "https://api.trello.com/1/members/" for email in email_list: response = requests.get(api_url, params={"email": email}) if response.status_code == 200: print(response.json()) ``` This script demonstrates how 'emo' might have used a simple loop to query the API with a list of email addresses. ## Company Response and Mitigation ### Atlassian's Actions Atlassian confirmed the misuse of the Trello REST API and secured it in January 2024. The API now requires authentication, preventing unauthenticated access. This change balances API usability with security, allowing authenticated users to request publicly available information while blocking unauthorized access. ### Long-Term Measures Atlassian continues to monitor the API's use and implement necessary security measures. Regular security audits and proactive monitoring are essential to prevent similar breaches. Educating users about the risks of phishing and doxxing is also crucial. ## Potential Risks and Implications ### Phishing Attacks The leaked data includes email addresses and public Trello account information, such as users' full names. This information can be used in targeted phishing attacks to steal sensitive information like passwords. Attackers can craft convincing phishing emails using this data, increasing the likelihood of successful attacks. ### Doxxing Risks The data can facilitate doxxing, allowing threat actors to link email addresses to individuals and their aliases. This poses significant privacy risks, especially for users who post anonymously online. Unmasking anonymous users can lead to harassment, blackmail, and other malicious activities. ## Historical Context and Similar Breaches ### Facebook API Breach In 2021, a similar API exploitation linked phone numbers to Facebook accounts, affecting 533 million users. Threat actors used an unsecured API to link phone numbers with Facebook profiles, creating detailed user profiles with both public and private information. ### Twitter API Breach In 2022, Twitter experienced a breach where phone numbers and email addresses were linked to millions of users. An unsecured API was exploited to combine public Twitter data with private email addresses and phone numbers, resulting in a significant data leak. ### Twilio API Breach More recently, an unsecured Twilio API confirmed the phone numbers of 33 million Authy app users. Threat actors exploited the API to link phone numbers with user profiles, creating a detailed dataset that posed significant privacy risks. ## Securing APIs: Best Practices ### Robust Authentication Mechanisms Implementing robust authentication mechanisms is crucial to securing APIs. This includes using API keys, OAuth tokens, and other authentication methods to restrict access to authorized users only. ### Rate Limiting and IP Whitelisting Rate limiting and IP whitelisting can help prevent abuse of APIs. By limiting the number of requests from a single IP address and allowing only trusted IPs, organizations can reduce the risk of API exploitation. ### Regular Security Audits Conducting regular security audits of APIs is essential to identify and mitigate vulnerabilities. These audits should include penetration testing, code reviews, and other security assessments to ensure the API is secure. ### Example API Security Configuration The following example shows how to configure an API gateway to enforce rate limiting and authentication using OAuth tokens: ```yaml apiVersion: v1 kind: ConfigMap metadata: name: api-gateway-config data: config.yaml: | apiEndpoints: - path: /api/* methods: [GET, POST] rateLimit: requestsPerMinute: 60 authentication: type: oauth2 tokenEndpoint: https://auth.example.com/token ``` This configuration enforces a rate limit of 60 requests per minute and requires OAuth tokens for authentication.

loading..   17-Jul-2024
loading..   5 min read