Combating data breaches caused by misconfigured apps

From the outset of the pandemic, we have seen a dramatic increase in the number of cyber attacks and data breaches. And with much success, threat actors are abusing the fear and panic these adverse conditions are causing. As a result, there has been a precipitous rise in the number of COVID-themed trojans, ransomware attacks, as well as scams and phishing attacks across organisations and verticals. As more organizations shift to remote work, with inadequate policies and strategies in place, they gamble on their own employee and business data security, and privileged controls. And this has served as a catalyst, for an increased number of data breaches, across the globe. 

This article delves into the various ways in which data breaches can occur, and safety practices to ensure that you organization is not impacted by:

  • Cloud misconfigurations
  • Elasticsearch exposures
  • Exposed Internal API/ portals 
  • Phishing attacks and credential disclosure
  • Insecure WiFi/ no VPN

Cloud Misconfigurations

Cloud misconfigurations have led to massive data breaches. For example, The “Capital One” and “Imperva” data breaches were caused by the disclosure of AWS API keys. 

Fugue’s survey shows that 84% of the 300 IT professionals surveyed believe that they are already victims of undiscovered cloud breaches.

 

Data Breach: Fugue Survey
Fugue Survey

As pointed out by the survey, the most common causes of cloud misconfigurations are: 

  • Lack of awareness of cloud security and related policies, 
  • Insufficient controls and lapse in supervision, 
  • Too many cloud APIs to adequately govern, and 
  • Negligent internal activities

Although Cloud operations take a considerable load off of developers, and facilitate the smooth management and monitoring of multiple services, enforcing proper access control policies, user management, access key management, API access control becomes essential.

How to prevent cloud misconfiguration 

  • Understand and utilise the ‘shared responsibility’ security model.
  • Ensure multiple checks while shifting operations to the cloud giving careful consideration to IAM roles, user account permissions, key rotations, test accounts, and storage bucket permissions.
  • Review inbound and outbound traffic rules carefully for the VPC. Security groups are also susceptible to misconfigurations. Therefore, enforce a zero trust policy, and enable VPC logs and monitoring. 
  • Set up behavioural analysis and activity monitoring in addition to strict access policies.

 

Elasticsearch Exposures

Elasticsearch is a search engine that indexes data in the form of documents. Typically, the size of data that this engine indexes is quite large and the indexed result comprises metadata, personal user information, emails or application logs, and more. The service, by default, runs on TCP port 9200. Moreover, most Elasticsearch instances are self-hosted free versions of the software. 

CloudSEK XVigil’s Infrastructure Monitor has detected a significant increase in Elasticsearch instances running on the default port. But it is not rare these days. Recently a UK-based security firm accidentally exposed an Elasticsearch cluster, leaking more than 5 billion documents of breached data between 2012 and 2019.

How to secure Elasticsearch

  • Prevent access to Elasticsearch clusters from the internet. This is the best approach for most databases.
  • Practice ‘security by obscurity,’ whereby, the installed services are not run on the default port. This measure does not merely fix the problem, but drastically reduces the chances of exploitation even via unfocused attacks. 
  • Perform periodic assessments of vendors’/ partners’ networks and ensure that their security controls are set properly. The misconfiguration of privately-owned infrastructure, as well as that of partners and vendors in possession of critical data, adversely impact businesses.
  • Analyse and test every potential entry point to any critical data source/ functionality. This includes supplementary tools, used to expand an application’s capabilities. Most users instal Kibana along with Elasticsearch, which helps to visualise the data Elasticsearch indexes. Kibana dashboards are usually left unauthenticated, inadvertently granting anyone access to the indexed data. 
  • Encrypt the stored data, to render the data useless to the attacker, even if it is accessible. 
  • Employ Elasticsearch’s security methods for authentication, including:
    • Active Directory user authentication
    • File-based user authentication
    • LDAP
    • SAML
    • PKI
    • Kerberos
  • Enforce role-based access control policy, for users who access the cluster.
  • Update Elasticsearch versions regularly, to safeguard the cluster from frequent exploits that affect the older versions. 
  • Back up the data stored in the production cluster.  This is as important as the security measures adopted. A recent attack campaign accessed as many as 15,000 Elasticsearch clusters, and their contents were wiped using an automated script. 

 

Exposed Internal APIs/ Portals

Organizations deploy various applications for internal use. This includes HR management tools, attendance registration applications, file sharing portals, etc. In the event that the entire workforce shifts to remote work, such as times like now, it becomes difficult to track the access and usage of these applications. To top it off, applications are increasingly allowed traffic from the internet, instead of local office networks. As a result, applications and APIs, which lack authentication or use default credentials, are increasingly surfacing on the internet. 

In the past couple of weeks, a number of HR Portals, payroll applications, lead management dashboards, internal REST APIs, and shared FTP servers have surfaced on the internet. Most of the applications are self-hosted, and their default passwords can be used to access them. XVigil has detected multiple instances of directories that contain transaction reports, employee information documents, etc. being served without any authentication. 

How to prevent data disclosure through APIs/ portals

  • Security teams must test these applications thoroughly. 
  • Continuously monitor all internet facing servers. 

 

Phishing attacks and credential disclosures

With a remote workforce communicating primarily via text-based channels such as emails, chats and SMS, it has been much easier for phishing campaigns to take advantage of the distributed workforce. Consequently, the number of spear phishing attacks have surged. Barracuda researchers have observed 3 main types of phishing attacks in the last couple of months: 

  • Scamming
  • Brand impersonation
  • Business Email Compromise (BEC)

Individuals fall prey to phishing attacks, especially during the pandemic, due to:

  • Lack of direct communication
  • Absence of processes and strategies for situations such as this
  • Lack of awareness 

Since emails that use the word COVID have higher click-rates now, scammers are increasingly using them as lures to spread malicious attachments. Once the attachment is downloaded and the malware payload is dropped, threat actors can access keystrokes, files, webcam, or install other malware or ransomware. (Access CloudSEK’s threat intel on COVID-themed scams and attacks)

 

Data breach: Phishing mail
Phishing mail (https://blog.f-secure.com/coronavirus-spam-update-watch-out-for-these-emails/)

How to prepare for phishing attacks

  • Be extremely cautious about any mail you receive.
  • Verify the source of the email, before clicking on any links or attachments. 
  • Even if the links look legitimate, double-check for malicious files. For example: hovering over the attachment will show its actual URL. 

 

Insecure WiFi/ No VPN

Today, every remote workforce is connected to their personal devices and networks. So, the connectivity of such devices should be secured. 

How to prevent attacks via WiFi

  • To avoid brute force attacks, set complex passwords for the router. If the router is an old model, it may use weak encryption for connections, which can be cracked in no time. 
  • Employees working from shared spaces such as hostels, may be connected to shared wifi networks as well. So, to ensure that the data is not tampered within such insecure channels, set up a VPN. In case your organization does not provide a Business VPN, do not download free VPNs which might log your traffic data.

Top open source resources to stay vigilant against COVID-themed cyber attacks

 

As the coronavirus pandemic spreads rapidly across the globe, a panic-stricken populace already confined to their homes, faces the emerging threat of COVID-themed cyber attacks. The trend of recent cyber crimes indicates a spike in the number of COVID-related malicious domains, malware attacks, as well as phishing campaigns. As a result, organizations are left with the daunting prospect of securing their assets, and that of their clients, against adversaries profiting from the pandemic. Without an effective strategy, or the right intelligence, it will be impossible to ward off such attacks.

In this article, we have consolidated popular open source threat intel resources that can help you combat COVID-themed cyber attacks. These open source resources provide the latest intelligence and observations on cyber threats to alleviate the impact such attacks could have on the global community.

COVID-19 Cyber Threat Coalition

Cyber Threat Coalition (CTC)  is the result of combined efforts of around 3,000 security professionals who gather, analyse, and share intelligence pertaining to new COVID-themed threats. At present, the largest contribution of COVID-themed datasets are produced by CTC.  Moreover, they prioritize and defend essential services and the front-line medical sector, against threats. The telecommunication sector is also a part of essential services, as more people shift to remote work.

How does CTC alert organizations?

  • Typically, they examine millions of data points contributed by organizations or individuals, and run the indicators through several security products. 
  • If at least 10 of these security products identify the data point as a threat, CTC volunteers manually verify such findings and add malicious feeds to its Blocklist. If only 5-9 security product vendors identify the data point as malicious, they will be manually verified as malicious feeds before adding them to the Blocklist.
  • This Blocklist helps organizations and individuals, across the globe, block malicious traffic arising from fraudulent activities.
  • Additionally, they have a Beta MISP feed that details the various threat indicators (accessible to those who have set up MISP).

How can you contribute?

  • CTC maintains a Slack workspace, the invitation for which is available on their official website. This workspace is for researchers who may have information regarding COVID-themed cyber attacks. In addition, they also have a slack room to announce updates, and new developments: #ctc-official-announcements 
  • Their Alienvault open threat exchange (OTX) also gathers data feeds from researchers. CTC considers Alienvault OTX as their primary source of raw data feeds. They are encouraging anyone with high quality threat intel, to join this platform.  

Here is the CTC Blocklist for vetted malicious domains and IP addresses:

COVID-themed cyber attacks: Alienvault OTX group
Alienvault OTX group

COVID-19 CTI League

(https://cti-league.com/)

This is a collective of experts and Incident Responders, from across 40 countries, which gathers COVID-related threat intelligence. Senior Microsoft and Amazon officials are also part of this team. CTI League is geared towards neutralizing cyber threats against the front-line medical sector and critical infrastructure. 

How is the medical sector benefiting from the CTI League?

  • CTI accepts IR (Incident Response) requests from organizations, to detect security incidents and keep them in check. To achieve this, the CTI League connects with researchers and analysts from 22 different time zones. Volunteers help the community find the most appropriate individuals who can secure medical institutions and resources in their location.
  • They assist in taking down websites, web pages, or files from the internet, and escalate cyber attacks, malicious activities, or critical vulnerabilities, to law enforcement agencies and national CERTs.
  • They provide reliable databases, of high-priority indicators of compromise, that help the medical sector investigate and block malicious activities. 

Cyber Threat Alliance

(https://www.cyberthreatalliance.org/)

This is a not-for-profit membership organization that focuses on phishing lures and malware attacks. They help thwart attempts to harm the medical sector, in the time of this unprecedented crisis.

What are they offering?

PhishLabs

(https://www.phishlabs.com/covid-19-threat-intelligence)

Phishing is the most common cyber threat. And even as the world tries to make sense of the coronavirus epidemic, scammers are busy cashing in on the fear and anxiety.  PhishLabs, a team of cybersecurity experts, combines their efforts to provide free resources of Coronavirus-related threat intelligence, with their primary focus on phishing attacks.

What have they got to offer?

Their database is updated with the latest on COVID-themed phishing email, malicious URLs, and domains. They present and share the data in a zip file containing phishing lures (as image files), and phishing URLs (in .xlsx format).

PhishLabs image files
PhishLabs image files

Checkphish: Coronavirus Scam Tracker 

(https://checkphish.ai/coronavirus-scams-tracker)

Checkphish maintains a global dashboard that tracks the latest Coronavirus-themed phishing scams. The results are classified into scams and suspicious sites. Moreover, for each website, it provides scam feeds in the .tsv format.

Sample: https://checkphish.ai/data/covid_feed.tsv

Checkphish scam tracker feed
Checkphish scam tracker feed

The dashboard also allows you to run free URL scans to identify malicious websites. For each queried domain and the domains which are already in the list the dashboard also incorporates website screenshots, Passive DNS (of hosts and domains hosted on given IP), details of similar domains, and their WHOIS information.

COVID-themed cyber attacks: Checkphish dashboard
Checkphish dashboard

MISP 

(https://covid-19.iglocska.eu)

Malware Information Sharing Platform (MISP) is an open source threat intelligence platform. They provide IDS signatures for COVID-19 cyber intrusions in various formats such as: STIX, STIX2, Text, csv, etc., They also allow users to automate the process of collecting information. Researchers and interested parties are only required to send a direct message to the team to access https://covid-19.iglocska.eu/.

Events on MISP
Events on MISP
Post that directs users to a frequently updated dataset
Post that directs users to a frequently updated dataset

RiskIQ

RisqIQ PassiveTotal offers access to RisqIQ datasets such as passive DNS, extensive DNS data, WHOIS registration details, and SSL certificate details. And, as a response to the rising number of COVID-themed cyber attacks, they also share lists of Coronavirus-related domain names that contain ‘covid’, ‘coronav’,  ‘vaccine’, ‘pandemic’, or ‘virus.’ These may or may not be malicious. To facilitate an investigation into these domains, interested analysts are allowed 30-days access to use PassiveTotal, RiskIQ’s threat research platform. 

Links to the lists of COVID-themed domain names:

https://covid-public-domains.s3-us-west-1.amazonaws.com/list.txt (consolidated list)

https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-YYYYMMDD

https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-20200420

Covid-19 Medical Supply Scams from RisqIQ dashboard.
Covid-19 Medical Supply Scams from RisqIQ dashboard.

RisqIQ Dashboard: https://community.riskiq.com/

Github CTI league Repo

(https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE)

A GitHub repository, dubbed as COVID-19-CTI-League, also shares vetted, approved IOCs of COVID-themed cyber attacks. Even though the name of the repository resembles the community CTI League (discussed earlier), they aren’t related. 

COVID-themed cyber attacks: CTI League Slack discussion  
CTI League Slack discussion

Independent Researchers And Feeds

Although we have listed out the big names in cyber security, it is important to know that there are individual researchers and cyber security bloggers committed to resolve and neutralize the attacks surfacing during the epidemic. They share their analysis and findings on social media platforms such as Twitter. Here are some of them:

@dustyfresh

Twitter user DustyFresh has set up a feed, updated every 30 seconds, which scans for new COVID-related hostnames discovered in certificate transparency logs. He uses keywords coronavirus, covid19, covid-19, covid, pandemic, etc. 

Although most of the domains in this list are considered malicious, it is upto researchers to figure this out.

@sshell_

Another researcher who goes by the Twitter handle @sshell_ created a real-time dashboard of malicious websites. This dashboard leverages RiskIQ’s feed (mentioned earlier) and lists COVID-themed malicious domains in real-time.

@sshell feed
@sshell feed

@LukasStefanko 

Independent researcher and ESET mobile malware analyst, Lukas Stefanko, tracks COVID-related malware attacks that target Android users, on a daily basis. 

Threatfeeds.io

(https://threatfeeds.io/)

This is another open source threat intelligence platform that gathers Indicators of Compromise from various sources. It allows users to download data for free.

MalwareBazaar

(https://abuse.ch/blog/introducing-malwarebazaar/)

Abuse.ch provides free malware samples that are easily downloadable. MalwareBazaar hopes to help researchers understand malware samples and use the intelligence for further analysis. 

Advisories

The official Twitter accounts of government agencies are also provide regular updates on the latest scams and scamming tactics: 

@CyberDost

Indian Ministry of Home Affairs offers tips and advises the public on safe internet practices, through its Twitter handle @CyberDost and its official website National Cyber Crime Reporting Portal. These platforms can also be used to report any malicious cyber activity that you come across. 

@Europol

This is the Twitter handle of European Union’s Agency for Law Enforcement Cooperation. Europol shares recent trends in cyber attacks and scams themed after the Coronavirus pandemic.