It was a Good Day!
> thinkin’ “Will I live another 24?”
Hey folks, Weekend has started, somehow weekend nights feel surreal. This is the part-15 of our series, Let’s see the topics which I will try to discuss a bit elaborately today. 1.Cloud Credentials I believe we had discussed a few things on cloud infrastructure in previous parts, let’s move on to the part where it all starts, as we know the data is safely organized and categorized inside a customer’s account, these accounts are accessed by using a set of credentials(email/username and password). By using those credentials, we login to our account and do various tasks such as uploading/downloading our content. An attacker can compromise your account If they get their hands on any of the breached info which has your personal details. You might had used different passwords but, If your account interests an attacker he/she may do it as a means of time pass too. It may require some bit of time based on the password complexity and the type of curated wordlist that they had created just for you to perform the bruteforce attack on the cloud services, now the cloud guys aren’t sitting ducks. They would have already imposed and implemented many security measures which start with anti-bruteforce measures, how? assuming a normal user takes about 30 sec to 1 min to finish the login and the number of requests he/she may perform due to the network issues or browser issues, but as an automated script It can’t do much without sending many requests in a short amount of time, that’s why It is easier to detect them. how can an attacker improve? as every other web application service, cloud has also a login page where after using the required credentials, It will interact with Its web server and then to the database to check whether this user exists, If the user exists the request is authenticated and then to the personal account. To improve an automated script, one needs to include another subscript which creates a real believable user agents in real-time and a rotating proxy of legit devices, The script can be hard to differentiate from real users, In this way the script’s present can be spoofed with original traffic coming to the website. The credentials can be stolen or compromised in many ways(let’s stick to the topic). After successful login, the attacker can change or completely modify your account details. So that, you cannot login again. The account will be in his control. 2. Browser Extensions These days, there’s literally a huge load of extensions ready to be used by the people. They are ready to be downloaded for almost anything, If you like to download YT videos there’s an extension for it, If you want to block ads there’s another extension for it and If you would like to see or do anything in the just go to the extension store and see the categories, there would be thousands of them. The problem with them is, they are the best way to gather data from users, I don’t want to sound like a delusional writer but, there could be a chance of a state sponsored hacktivist group creating and deploying these popularly used extensions. While they serve their purposes they might also do the unlawful activities behind this pretty face of an extension with that sleek UI. By downloading an extension and turning it on, we give the access for it to view our website visiting demographics and what we do, how much time we spend on average and what are the most frequently used websites sorted on the basis of age, gender, sexuality, race, ethnicity and region. I won’t say that the browsers are doing a bad job at detecting these software, they will do their jobs, the sad part is that they will not realize the detection until it had already infected millions of users, It’s not that hard for a state-sponsored group to create something which is undetectable by old-school guys at chrome/Mozilla right? To the people, It doesn’t exist as long is It is perfectly working in disguise but for the security teams they are aware of the risks. But even if they face any such issue, they will just throw this under the carpet. Why? Because the company will lose It’s reputation and people only need a “half reason” as simply as “more secure” would do the trick. That’s why they will never disclose security issues coming from extensions, try to give as less permissions to the extensions you are using/ or have it with you 3. Compromised Client Software Software applications can be compromised to make them a feasible playground for the attackers to use, the clients who might be using broken or old applications which had disclosed Common Vulnerabilities and Enclosure(CVEs) reports publicly available are the first ones who will be targeted and exploited, some CVEs are so critical that they enable the attacker to fully utilize the application’s resources and do the things remotely, most common ways for botnet infections and crypto-mining. The software can be normal day to day applications, drivers, web browsers, internal software components etc. On the other hand, the compromised applications can be used to fetch the real malware into the system, such as ransomware. Then the attacker can begin the attack and gain money from the ransom from victim. Like all the things we’ve discussed, any cyber attack can be deadly If the attacker is smart enough to utilize any opportunity whether it being small or big. 4. Cloud Infrastructure Discovery Cloud Infra is one of the very big things which needs constant improvement and security, due to Its risk factors. The attacker can gain valuable insights on the infrastructure like what kind of service and the details about the provider, past vulnerability disclosures of that provider, infrastructure enumeration and open source intelligence hunt etc. They can have a gist of what had been going on in the company, they can even assess the company’s security posture based on the cloud security team which would be available freely in linkedin, “but linkedin only shows it to other linkedin users, why would an attacker show himself out?” linkedin isn’t secure for data privacy and integrity, It’s the least place you would like have your data in. Unlike Facebook and Instagram, linkedin doesn’t use sophisticated identity verification methods, If you have an educational mail then you can easily sneak in, how to get one? filter the web. The attacker can look for fake passport generators, fake ID generators etc. Surprisingly I can’t believe that linkedin uses real people to do this stuff, but still they couldn’t grasp what has been going on. Well, some things can’t be changed. After discovering the information regarding cloud infrastructure, the attacker can plan further complex attacks focusing on a company’s cloud security. 5. Cloud Service Dashboard I have no idea why I’ve included this in the list, well let’s see it anyway. It literally means the dashboard we face when we login to our cloud service provider’s web/application, It’s a place where we can manage the content, like the images/videos we had uploaded, changing or modifying account settings, account security and many others. I don’t want to go with the whole attacker thing again, It feels like I’ve said it a hundred times already, let’s give it some time and use it tomorrow, In the meanwhile you can learn about the cloud architecture online, just give it a search! That’s it for today, I felt like the images are getting stupid everyday, so I stopped embedding them in the articles and I’m planning to create an index page for all the topics I had covered and publish it as a pinned story, so that It would be helpful for others and for me too! I’ll see you tomorrow.