Vulnerable services fixed by the cloud biz but open source projects still at risk
Critical flaws across at least six AWS cloud services could have allowed attackers to execute remote code, steal data or even takeover a user's account without their knowledge, according to research presented today at Black Hat.
"At the end of the day, any vulnerability that can reach the creation of admin user and de facto account takeover is risky, and the consequences could be crippling to an organization," Assaf Morag, a lead data analyst at Aqua Nautilus research team toldPlus, while AWS fixed the vulnerabilities across these six — CloudFormation, Glue, EMR, SageMaker, ServiceCatalog and CodeStar — similar issues may still exist across other AWS services and open source projects, many of which use S3...
Meanwhile, the attacker could have already filled it with malicious code, which will then be injected into anything that works with this bucket. Or they could sit back and wait for the victim to drop sensitive files in the bucket and then have full access to that data, among other nefarious deeds.."All you need is to have the account ID of the company, and if you do a short threat collection or threat intelligence session on the company, you can find it.
"The possible combinations are enormous, so we took another approach," former Aqua researcher Michael Katchinskiy said. This involved using GitHub regex and Sourcegraph searches, and scraping open databases, looking for leaked hashes,"and we found a nice amount," he noted. "And then the bucket just sits, waiting for the vulnerable service to write some data to it," lead Aqua security researcher Yakir Kadkoda toldIn this scenario, the victim org tries to create an S3 bucket in the new region and upload a template file to CloudFormation.
日本 最新ニュース, 日本 見出し
Similar News:他のニュース ソースから収集した、これに似たニュース記事を読むこともできます。
UK cyber-boss slams China's bug-hoarding lawsPlus: Japanese scientists ID ancient supernova; AWS dismisses China trouble rumor; and more
続きを読む »
Japan's Fugaku supercomputer released in virtual version that runs in AWSGraviton processors get the job of helping RIKEN achieve HPC world domination
続きを読む »
Harry Redknapp responds to ex-Tottenham player who felt frozen out over infamous ice bucket celebration...David Bentley admits that the infamous Harry Redknapp ice bucket celebration when Tottenham secure Champions League football ended his Spurs career
続きを読む »
What could Google monopoly ruling mean for you?The US government says it wants 'structural relief' after a judge found the search giant broke the law.
続きを読む »
Firm behind Rawtenstall Market hits back at 'greed' and monopoly claimsFears over a possible 'clash of interest' between two Rossendale companies and Rawtenstall market's revamp have been raised
続きを読む »
Google's online search monopoly is illegal, US judge rulesThe decision is a major blow to Alphabet, Google's parent company, and could reshape how technology giants operate.
続きを読む »