[Some Interesting] Cloud ‘n Sec news: 27th May 22
What’s worth your reading time
Microsoft Build 2022
The annual developers’ conference took place this week with many exciting announcements for dev and the Cloud industry in general.
All announcements and video recap can be accessed online.
Amongst the announcements worth double checking are Azure AI:
Azure OpenAI Service, an Azure Cognitive Service, is now available in preview. Approved customers can access different models from OpenAI, including the GPT-3 base series (Ada, Babbage, Curie and DaVinci), Codex series and embedding models, with the enterprise capabilities of Azure.
Microsoft Dev Box:
Microsoft Dev Box will give developers self-service access to high performance, cloud-based workstations that are preconfigured and ready-to-code for specific projects. Azure Deployment Environments will make it easy for developer teams to quickly spin up app infrastructure with project-based templates that establish consistency and best practices.
Microsoft Training and Learning platform
enhanced with new and updated training and certifications to offer a wide range of benefits for users, ranging from exam prep to cybersecurity training to data analytics to role-playing real-world tech issues.
The additions and updates include:
Microsoft Learn Cloud Games
Microsoft Exam Readiness Zone
Microsoft Certification Renewal
Twitter fined for using 2FA information for ads
As if all news about their “acquisition” wasn’t enough bad publicity.
No one should expect their security information to be used for monetization of a platform.
According to court documents [PDF], Twitter asked over 140 million users for this information to protect their accounts starting in 2013, but it failed to inform them that the data would also be used to allow advertisers to target them with ads.
Credential stuffing attack exposing personal information
Compromised Identities should be a thing of the past with all the available awareness, frameworks and technology (Password manage, 2FA) to mitigate it.
This attack comes to remind us that it isn’t. Bleeping computer reported:
GM disclosed that they detected the malicious login activity between April 11th and April 29th, 2022, and confirmed that the hackers redeemed customer reward points for gift cards in some cases.
GM states they will be restoring rewards points for all customers affected by this breach.
However, these breaches are not a result of a General Motors being hacked but rather are caused by a wave of credential stuffing attacks targeting customers on their platform.
Android malware using Zero-days
This piece of news comes from Google Threat Analysis Group which uncovered five zero-day vulnerabilities to install Predator Spyware.
All three campaigns delivered one-time links mimicking URL shortener services to the targeted Android users via email. The campaigns were limited — in each case, we assess the number of targets was in the tens of users
Read more about this here.
Malware in Word Doc in a PDF?
A report by HP Wolf Security on this attack using very traditional methods to deliver a payload. A Malicious Doc file, inside a PDF.
In a campaign seen by HP Wolf Security, the PDF arriving via email is named “Remittance Invoice,” and our guess is that the email body contains vague promises of payment to the recipient.
When the PDF is opened, Adobe Reader prompts the user to open a DOCX file contained inside, which is already unusual and might confuse the victim.
Because the threat actors named the embedded document “has been verified,” the Open File prompt below states, “The file ‘has been verified.” This message could trick recipients into believing that Adobe verified the file as legitimate and that the file is safe to open.
Make sure to review the technical writeup uncovering the technique and threat here.
Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo
Thank you for reading and leave your thoughts/comments!