Cyber Intelligence Weekly

Cyber Intelligence Weekly (Aug 29, 2021): Our Take on Three Things You Need to Know

By Dan Desko
Posted on Aug 30 / 2021

Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.

Away we go!

1. President Biden Meets with Major Tech Companies to Drive Cyber Investments

President Biden met with industry leaders from technology, education, finance, insurance, and energy sectors to discuss ways to improve national cybersecurity. Apparently, there were several commitments and bunch of items added to the national cyber to-do list coming out of that meeting:

  • The National Institute of Standards and Technology (NIST) will collaborate with industry and other partners to develop a new framework (yes, another framework!) to improve the security of the technology supply chain. Personally, I was happy to hear that the approach will include ideas on how to secure open source software supply chains as well.
  • Expansion of the Industrial Control Systems Cybersecurity Initiative to natural gas pipelines.
  • Apple is stepping up the security of its supply chain, which has over 9,000 suppliers in the US alone.
  • Google will invest over $10 billion in cybersecurity while Microsoft while invest over $20 billion.
  • IBM will train over 150,000 people in cybersecurity.
  • Amazon will offer their own internal cybersecurity awareness training for free to the public.

2. Microsoft Power Apps Leave Data Exposed to the Internet

Upguard, a cyber risk management software provider, stumbled across a very big problem. They found that Power Apps, a low code business app maker, allows access to data anonymously and without authorization by default. This means that many companies who have been using the popular application building tool in the cloud have inadvertently allowed anyone to access or view data that has been populated in their databases through the affected Power Apps.

Microsoft Power Apps Leave Data Exposed
media.giphy.com

This data exposure is very similar to issues we’ve seen over the years with misconfigured Amazon S3 buckets. Upguard reported the ‘default-by-design’ open feature of the APIs back in June, and days later Microsoft responded with the old, "it’s a feature, not a bug” answer.

This is unfortunately another example in a long list that shows how cloud ‘features’ that are not understood when quickly rolling out cloud infrastructure can create massive information disclosure risk. Always be sure to understand the security options and implications of any cloud service you are using and be sure to test the security of the application before it is placed into production use.

3. Warning Signs in the Cosmos

Microsoft Azure’s CosmosDB, which is a fully managed NoSQL database service, had a major flaw exposed recently that allowed users of the service to access user data from other CosmosDB customers, regardless if they were authorized or not. The flaw has been dubbed “ChaosDB” and is explained by the security researchers thusly: “ChaosDB gives any Azure user full admin access (read, write, delete) to another customers' Cosmos DB instances without authorization. The vulnerability has a trivial exploit that doesn't require any previous access to the target environment, and impacts thousands of organizations, including numerous Fortune 500 companies.

CosmosDB ChaosDB
media.giphy.com

While Microsoft has noted in a statement that they don’t believe the issue was exploited in any way and that customer data had remained safe, US Cert is recommending that all CosmosDB users roll and regenerate their certificate keys and to review Microsoft’s guidance on how to secure access to data in Azure Cosmos DB.

Microsoft Statement on CosmosDB Vulnerability: Our investigation indicates that no customer data was accessed because of this vulnerability by third parties or security researchers. We’ve notified the customers whose keys may have been affected during the researcher activity to regenerate their keys.

No matter what Microsoft says, it is always a wise idea to assume a breach in these scenarios and work backwards to forensically review logs for potential malicious data access or exfiltration.

In other news: Digital Dunkirk a Large Success in Saving Lives in Afghanistan

Digital Dunkirk is a veteran-led effort to help evacuate those in danger in Afghanistan. Led by former veterans, many of them cybersecurity professionals, these volunteers provided assistance with things like negotiating, providing operational security to the families in danger, and coordinating with US forces on the ground to get American citizens and other allies out of the country.

We had several volunteers from our team who helped to lead the charge and they were instrumental in helping save numerous lives in the process. It’s weeks like these that make me proud to work with such a great principled team of cyber pros.

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign Up

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign Up
Sign up to get Cyber Intelligence Weekly in your inbox.
Latest Intelligence
Cyber Intelligence Weekly (April 21, 2024): Our Take on Three Things You Need to Know
Posted on Apr 21 / 2024
The Latest in FedRAMP Compliance: Breaking Down Red Teaming for Enhanced Security
Posted on Apr 18 / 2024
Cyber Intelligence Weekly (April 14, 2024): Our Take on Three Things You Need to Know
Posted on Apr 14 / 2024