21st October, 2022
Recent Azure SFX flaw that could’ve allowed attackers to gain admin privileges
A recent flaw (which has been since been patched) could have allowed an attacker to gain admin privileges on an Azure SFX cluster. SFX is an open-source tool developed by Microsoft to inspect and manage Azure service fabric clusters. The most recent vulnerability worked by gaining access to a user that only needed to be able to ‘Create Compose Application’ and then leveraging this account privileges to create a rogue app and abuse a cross-site-scripting flaw. The impact of this flaw allowed the attacker to execute a ‘cluster node reset’ which could reset passwords and security configurations to allow the attacker to gain full admin privileges. This flaw has since been patched and users are urged to update to version 8.1.316.
Brazilian Police Arrest Lapsus$ Suspect
On Wednesday 19th of October, federal police in Brazil arrested a suspected member of the cyber extortionist gang, Lapsus$ following an investigation as part of Operation Dark Cloud which began in August this year. Lapsus$ has become well known in the last year for its high profile cyber attacks on corporations like Nvidia, Samsung, Ubisoft, Microsoft, Uber and most recently, Rockstar Games. The Federal Brazilian police first launched an investigation into the cyber group in December 2021 after an attack on websites run by Brazil’s Ministry of Health, which resulted in a 50TB exfiltration and the ability for the hackers to delete data and manage COVID vaccine certificates. Not much is known about the latest person to be arrested except for the likelihood they are a teenager. This follows from the arrest of 7 others related to the group, from London back in March 2022. It’s currently unknown how big this group actually is.
Fraudulent use of PayPal Invoicing Spotted
Phishing scams get more sophisticated and difficult to detect on a weekly basis, even more so when legitimate features of trusted service providers are used for fraudulent purposes. This week, Telesoft analysts picked up and investigated an interesting use of Paypals Send Estimate feature from what is thought to be a compromised Paypal Business account. An estimate would arrive from a legitimate Paypal email address with a message indicating that there had been fraudulent activity on the recipients account – seemingly the purchase of a Amazon or John Lewis gift card and to either pay and or ring a specific telephone number for assistance. Cleverly it evades Phishing & Spam filters as it does actually originate from Paypal but the message contained within is fraudulent and the telephone number mentioned is not that of Paypal.
Server Misconfiguration Led to Data Leak affecting 65000+ companies
Microsoft have this week confirmed that a misconfigured storage blob hosted in its Azure Cloud Platform was publicly accessible without authentication and contained information relating to thousands of customers and totalled around 2.4Tb of data. The misconfiguration was spotted by Cyber Security company SOCRadar which named the leak BlueBleed. Microsoft is currently notifying any affected customers.