There’s no shortage of cyber-attacks making the headlines, but what do they mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Cyber Criminals Target GitHub Repositories
ShinyHunters, a notorious cyber criminal group that’s been responsible for numerous data breaches since last year, has been observed searching companies’ GitHub repository source code for vulnerabilities and credentials.
The group has a history of compromising developer code repositories, such as GitHub, to steal credentials or API keys to a company’s cloud services. These are subsequently used to gain access to databases and gather sensitive information to be resold for profit or published for free on hacker forums.
Researchers claim that the group has exposed more than 1.12 million unique email addresses belonging to S&P 100 organisations, education, government and military entities as of late 2020. It is estimated that approximately 20% of all breaches occur as a result of compromised credentials.
Whilst ShinyHunters may not have the notoriety of other ransomware groups, monitoring malicious actors operating in repositories is crucial to preventing an organisation being compromised. It is thought that last year’s SolarWinds winds breach may have stemmed from credentials being inadvertently left in code that was stored in an open source repository.
This is an important reminder to all code developers to ensure that all credentials are removed from any code before storing it in any repositories such as GitHub. Having independent source code reviews throughout the software development cycle can help ensure such information remain confidential.
Top API Vulnerabilities
APIs have become indispensable business tools for many organisations who rely on them to connect multiple applications. Due to the fact that APIs enable large volumes of data transmission, they have long been an attractive target for attackers.
Without proper security testing, APIs can become a perfect point of attack. Due to the fact they are trusted by an application, APIs should be a cause for concern for all organisations that are utilising them.
Researchers have identified the following three common API vulnerabilities all organisations should be addressing:
- Broken Object Level Authorisation (BOLA) which allows an attacker to perform an unauthorised action by reusing an access token.
- Broken User Authentication which allows attackers to impersonate legitimate users.
- Improper Assets Management which allows attackers to access under-secured API endpoints.
Ensuring the applications in your environment are not vulnerable to these three possible API bugs is critical. With expert API penetration testing, your organisation will be able to test the APIs connecting your applications to ensure they are not open to exploitation which can result in large-scale data breaches.
Microsoft Exchange Server Vulnerabilities
Threat actors are actively exploiting vulnerabilities in Microsoft Exchange Servers. These current vulnerabilities are separate from the ProxyLogon ones identified in March.
Of particular concern are the following three ProxyShell flaws:
- CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system.
- CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
- CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of SYSTEM and write arbitrary files.
According to researchers, attackers are chaining these three vulnerabilities together to perform unauthenticated remote code execution, and they only need access to the public-facing Web service of Microsoft Exchange, hosted on port 443.
These vulnerabilities are publicly exposed and accessible to anyone on the Internet, meaning attackers can scan the Web looking for vulnerable Exchange Servers. Microsoft has released patches for all three vulnerabilities. It is essential that all organisations ensure their patching is up to date.