now browsing by tag
Amazon’s voice assistant wisecracks her way through SQL injection attacks on serverless environments at Black Hat Europe
Developers in serverless environments must heed the threat posed to their applications by voice command inputs, an industry expert has warned.
Speaking at the Black Hat Europe conference in London last week, researcher Tal Melamed took control of vulnerable applications hosted on serverless environments using Alexa-guided SQL injection attacks.
‘Sounds like a dream’
Serverless architecture, which allows developers to build applications without provisioning a server, is becoming an increasingly popular choice among developers, said Melamed, who is leading the OWASP Serverless Top 10 project.
Code is executed only when needed and “you don’t pay for what you don’t use”, the researcher noted, adding that the approach is a boon for “experimentation and scaling up”.
Serverless application development “sounds like a dream,” he said. But if organizations are liberated from the burdens of server management, it does not follow that security concerns are fully outsourced to service providers like AWS, Azure, and Google Cloud Platform.
This is because serverless applications still execute code, said Melamed – and insecure code is vulnerable to application-level attacks.
Melamed, head of research at Protego Labs, told The Daily Swig that all too many developers are unaware that serverless environments demand a different security posture to their traditional counterparts.
Read more of the latest news on hacking techniques from The Daily Swig
Outsourcing the perimeter
Outsourcing server architecture might reduce workload, but it also tears down the security perimeter.
“Serverless is an event-driven architecture where code is triggered via different events in the cloud,” Melamed told The Daily Swig.
Unlike monolithic applications, developers are not limited to APIs.
“Code can now be executed due to an email that was received, a file that was uploaded or a database table that was changed. The ‘connection’ between those events to your code is transparent and is controlled by the cloud provider.”
All too many developers “are unaware of the adjustments” they need to make “to attend [to] those risks.”
Those adjustments include never trusting inputs, which should be validated before data is processed.
“However, [developers] need to get used to the fact that the input could come from unexpected sources, like Alexa voice commands,” added Melamed.
Alexa, what is my balance?
Melamed’s final demonstration, in which he stole data from a hypothetical user account, illustrated how a voice-command injection attack requires only “code [that’s] vulnerable to SQL injection, which accepts inputs from Alexa (or any other voice-enabled devices) and processes the input as part of the database queries without validating it first.”
Alexa translated his voice commands – such as “what is my balance?” – into code.
“I designed it so it would translate words of numbers into actual numbers,” he told attendees.
The voice-delivered code that cracked the user’s secret ID, unlocking the cash balance, was .
The lesson to “organizations that develop voice-enabled applications” is clear, Melamed told The Daily Swig: they “should consider voice-commands as [an] input to their application.”
Melamed also launched event injection attacks through a third-party app using rest API, against cloud storage, and via email.
Melamed said his demos – coming soon to GitHub – evidenced the importance of shrinking “the attack surface by following the least-privilege principle: narrowing down the permissions of every serverless function as much as possible.”
Attendees were also urged to automate their defensive processes wherever possible.
Telling it like it is, Alexa clearly assigned blame for successful injection attacks: “In short, the problem isn’t the cloud – it’s you [the developer]”.
RELATED The best hacks from Black Hat Europe 2019
The post #hacking | ‘Alexa, hack my serverless technology’ – attacking web apps with voice commands appeared first on National Cyber Security.
View full post on National Cyber Security
The Adwind jRAT, a remote access Trojan known for targeting login credentials and other data, is adopting new tactics as its operators aim to better conceal malicious activity. Its actors exploit common Java functionality to steal information while evading defensive security tools.
Adwind, related to AlienSpy and also known as Frutas, Unrecom, Sockrat, and JSocket, is a known cross-platform RAT that has been targeting businesses since 2013. It’s capable of stealing credentials, system information, and cryptographic keys, as well as keylogging, taking screenshots, and transferring files. This jRAT typically uses phishing emails, infected software, or malicious websites to target a range of platforms including Windows, Linux, and macOS.
A new variant is focused on Windows machines and common Windows applications Explorer and Outlook, report researchers at Menlo Security who detected it about four months ago. Adwind is now going after Chromium-based browsers, including newer browsers such as Brave. Menlo security researcher Krishnan Subramanian says the pivot to Windows was a logical move for Adwind’s operators: While the jRAT was platform-agnostic, most of its victims ran Windows.
The latest jRAT variant uses Java to take control over and collect data from a victim’s machine. It’s specifically after login credentials, says Subramanian, who notes this particular variant has been actively targeting industries like financial services, where login credentials are valuable.
This malware arrives in a JAR file concealed in a link inside a phishing email or downloaded from a legitimate site serving up unsecured third-party content. Researchers also noticed infections coming from outdated and illegitimate WordPress sites, noting the latter delivery technique is growing popular among cybercriminals capitalizing on vulnerabilities in the publishing platform.
Adwind jRAT arrives in a malicious JAR file, with malware hidden under layers of obfuscation. The initial JAR decrypts, prompting a set of processes that ends with initializing the RAT with the command-and-control (C2) server. Adwind is then able to decrypt a file to access a list of C2 server IP addresses. It chooses one, and an encrypted request is made via TCP port 80 to load another set of JAR files. These activate the jRAT, which becomes functional and can send C2 requests to access and send credentials from the browser to a remote server. Credentials can be from banking websites or business apps, so long as they’re from a Windows browser or app.
Hidden in Plain Sight
This variant of Adwind stays hidden by acting like any other Java command. Millions of Java commands flow in and out of an enterprise network, and threat intelligence has little to know heuristics to use for creating a static rule or signature that will detect the initial JAR payload. There is nothing suspicious about its appearance or behavior; on the surface, it seems normal.
“Malware that takes advantage of common Java functionality is notoriously difficult to detect or detonate in a sandbox for the simple fact that Java is so common on the Web,” Subramanian writes in a blog post. As he explains, efforts to block or limit Java on the Web would have far-reaching consequences. It’s a nonstarter for those relying on rich web apps or SaaS platforms.
There is one way the Adwind jRAT stands out: Most Java commands don’t view and send stolen credentials to a remote server, Subramanian says. This behavior will eventually show itself.
This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio
View full post on National Cyber Security
Cyber red teams are still able to gain the upper hand in major training exercises, and combatant command missions “remain at risk when subjected to cyber-attacks emulating an advanced nation-state adversary,” according to a Department of Defense report. The Office …
View full post on National Cyber Security Ventures