S3crets Scanner: An Open-source tool that scans AWS S3 Buckets for Secrets
Amazon S3 is commonly used by companies to store data, services, and software in buckets. However, a lot of companies fail to properly secure their S3 buckets which has resulted in data exposure, potentially placing sensitive information in the hands of an adversary or competitor.
Eilon Harel, the creator of this tool, realised that there were no available automated tools that were capable of scanning accidental data leaks. As a result, he created S3crets Scanner. It is capable of listing bucket content via API queries, downloading the relevant textual files, checking for exposed textual files, forwarding results to SIEM, canning content for secrets and using CSPM to get a list of public buckets.
This tool will only scan buckets which have “BlockPublicAcls”,” BlockPublicPolicy”,” IgnorePublicAcls”, and “RestrictPublicBuckets” configurations set to False.
A leaked Amazon Prime video server exposed users' viewing habits
An unprotected Elasticsearch database dubbed Sauron was found by a security researcher Anurag Send, the database was stored on an internal Amazon server and contained Prime Video viewing habits. The server was left without any password protection, meaning anyone with the IP could connect and view any data stored within.
The data exposed contained 215 million records of pseudonymized viewing data. Including the names of movies or shows, the device used for streaming the content, and similar internal data such as subscription information and network quality. Thankfully this data cannot be used to identify the customers by name.
LockBit 3.0 gang claims to have stolen data from Thales
Thales Group is a French multinational company that designs, develops and manufactures electrical systems as well as devices and equipment for the aerospace, defence, transportation and security sectors.
The French defence and technology group Thales confirmed to be aware that the ransomware group LockBit 3.0 claimed to have stolen some of its data. Thales confirmed it had not received any direct ransom notification, the company confirms it has launched an investigation into the alleged security breach, and they have also notified the French ANSSI national cyber security agency.
Microsoft Patch Tuesday, November 2022 fixes 6 exploited zero-day
This month's patch Tuesday fixes six actively exploited zero-day vulnerabilities, with one being publicly disclosed. Exploits are classified as zero-day by Microsoft if it is publicly disclosed or actively exploited with no official fix available. The Six are as follows:
CVE-2022-41128 – Windows Scripting Languages Remote Code Execution. “This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message”
CVE-2022-41091 - Windows Mark of the Web Security Feature Bypass Vulnerability. “An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defences, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”
CVE-2022-41073 - Windows Print Spooler Elevation of Privilege Vulnerability. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
CVE-2022-41125 - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
CVE-2022-41040 - Microsoft Exchange Server Elevation of Privilege Vulnerability. “The privileges acquired by the attacker would be the ability to run PowerShell in the context of the system.”
CVE-2022-41082 - Microsoft Exchange Server Remote Code Execution Vulnerability. “The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.”
The Uk’s National Cyber Security Centre (NCSC) is now scanning the internet to better understand the vulnerability and security of the UK
The NCSC as of the first of November is now beginning to start simple scans across the internet. They claim they’re “not trying to find vulnerabilities in the UK for some other, nefarious purpose” instead beginning with simple scans and slowly increasing the complexity of the scans, explain what and why they’re doing what they are doing. The NCSC has developed a set of principles for conducting scanning effectively and transparently, these are as follows:
publicly explain the purpose and scope of the scanning system
mark activity so that it can be traced back to the scanning system being used
audit scanning activity so abuse reports can be easily and confidently assessed
minimise scanning activity to reduce impact on target resources
ensure opt-out requests are simple to send and processed quickly
The agency pointed out that is scanning the Internet using standard and freely available network tools running within a dedicated cloud-hosted environment. The probes are launched by the two IP addresses: