Exposed Databases on Amazon Web Services Discovered

This week, we hear about recent Amazon Web Services database exposures and the discovery of XcodeGhost, a new iOS malware that may have affected over 4,000 applications.

Breach

Exposed Databases on Amazon Web Services Discovered

In early September, after hearing rumors of “exposed databases” on Amazon Web Services (AWS), a “technology enthusiast” decided to investigate the claim and was able to download personal information pertaining to 1.5 million people.

Fortunately, the enthusiast contacted the affected companies and made them aware of the breach. Examples of data found on this occasion included police injury reports, drug tests, detailed notes from medical visits, Microsoft Outlook personal storage table (PST) files and social security numbers. Information on mitigation and securing the exposed databases is unavailable, but the compromised data was not published.

This is a typical nightmare scenario for cloud-based services: a third party error that inadvertently exposes data. In this scenario, confidentiality, integrity, availability, financial status and brand reputation are all at risk.

References: DataBreaches.Net Article - Leaked insurance claims data | Gawker.com Article - Exposed Heritage Foundation info

Mitigation Strategies:

Malware

XcodeGhost Malware Prompts Scare in Apple App Store  

Earlier this week, Chinese developers disclosed a new iOS malware called XcodeGhost on Sina Weibo, a micro blog service. XcodeGhost is a new iOS malware born from a malicious version of Xcode, Apple's official tool for developing iOS and OS X applications.

A malicious version of Xcode was uploaded to Baidu, a Chinese cloud file sharing service, and downloaded by iOS developers in China. The developers unknowingly compiled iOS applications using the modified Xcode IDE and distributed them through the App Store. The infected applications managed to pass through Apple's code review process, enabling iOS users to install or update them on their devices.

Initially, researchers believed fewer than 50 applications were infected but findings now suggest over 4000 were infected and more than 500 million iOS users, primarily in China and the Asia Pacific, may have downloaded these applications. 

iOS applications infected with XcodeGhost malware collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers. U.S. cybersecurity firm Palo Alto Networks has been reporting on the malware and explained that infected iOS applications can receive commands from the attacker using the C2 server to perform the following actions:

  • Prompt a fake alert dialog to phish user credentials
  • Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS applications
  • Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool

If you are using an Apple device directly or indirectly with a company network or company applications then a threat to company infrastructure via this channel is real.

References:  The Register Article - Initial number of affected apps increases | Ars Technica Article - Infected app capabilities | Mac Rumors - Top 25 List of Affected Apps 

Mitigation Strategies:

  • Download applications from a reputable source
  • iOS users should immediately uninstall any infected iOS app listed here or update to a newer version that has removed the malware
  • Reset your iCloud password and any other passwords inputted on your iOS device as a precautionary measure
  • Developers should install official versions of Xcode 7 or Xcode 7.1 beta from Apple's website for free and avoid downloading the software from unofficial sources

Top 20 IP Addresses

106.51.238.74 188.212.103.182 - NEW
84.245.33.104 188.212.103.170 - NEW
112.121.178.67 - NEW 116.50.176.73 - NEW
43.229.53.48 - NEW 66.55.134.154 - NEW
82.221.128.206 195.210.46.98
37.147.138.175 - NEW 204.93.197.45
209.15.196.171 216.249.104.194 - NEW
46.119.124.35 - NEW 158.255.212.117 - NEW
202.124.109.87 178.137.91.250
78.129.243.85 151.236.23.13 - NEW