At a glance.
- AWS misconfigurations expose private data.
- Scam subscription come-on leads to data theft.
AWS Systems Manager user misconception exposes private data.
Check Point Software examines the troubling trend of user “misconception” in the Amazon Web Services (AWS) Systems Manager, and how it can lead to the exposure of private data. Analysts at Check Point Research (CPR) discovered 5 million AWS records containing personally identifiable information and credit card transactions as a result of the misuse of the AWS Systems Manager. The Systems Manager allows users to automate functions across AWS products by creating Systems Manager (SSM) documents that specify the Systems Manager’s processes.
CPR found that many users (including an unnamed leading international sportswear manufacturer) are overlooking parameters and misunderstanding what data should be included in these SSM documents. For instance, they detected many SSM documents containing hardcoded usernames, passwords, or access keys, essentially handing an intruder an invitation to the inner workings of the company’s AWS systems. Furthermore, too often the SSM document names chosen by the user too clearly indicate the personal data contained therein, like neon signs directing an attacker right to the most valuable documents.
CPR has worked with AWS to outline some basic guidelines for securing the systems manager. They recommend users be more cautious about the data they include in public SSM documents, use parameters to restrict where activation keys and usernames appear, and avoid sharing deploy processes and backup procedures.
Subscribing to data theft.
Avanan looks at a phishing operation that capitalizes on the boring but necessary task of renewing software subscriptions. Most users are all too familiar with the standard reminder email software providers distribute to notify subscribers that their subscription needs to be updated. The attackers take advantage of user trust in this process by sending the target an email branded as a familiar software vendor, in this case Microsoft Office 365, stating that the user’s subscription has expired and must be renewed. It includes a link to the “service portal,” a site where the user can supposedly sign in and re-up their account. Despite the legitimate appearance of the spoof, the service portal is of course actually a credential harvesting site, and the only service it provides is to send the victim’s login data directly to the scammers.