Microsoft Confirms Misconfigured Storage Location Incident Dubbed "BlueBleed"
On October 19, 2022, Microsoft confirmed that thousands of users' sensitive information was exposed due to a security incident dubbed "BlueBleed”. BlueBleed was discovered by cybersecurity company SOCRadar on September 24, 2022, and is the misconfiguration of six (6) storage buckets collectively from one misconfigured Microsoft endpoint. In their blogpost about the incident, SOCRadar stated "The first part of the collection is due to a misconfigured Azure Blob Storage. It can be considered one of the most significant B2B leaks, affecting more than 65,000 entities in 111 countries with sensitive data inside a single Bucket." The researchers explained that the exposure allegedly amounts to approximately 2.4 terabytes (TB) of data, which is now publicly available and potentially consists of invoices, various business documents, emails, stocks, sales strategies, and more sensitive information. The data also allegedly includes files dated from 2017 to August of 2022 and impacts 548,000 users. In their Microsoft Security Resource Center (MSRC) posting from October 19, Microsoft emphasized that the data includes "names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner." Microsoft also claimed that "SOCRadar has greatly exaggerated the scope of this issue" as their analysis shows duplicate information with various references to the same information. This situation is ongoing, and CTIX analysts will continue to monitor for detail confirmations as well as update as necessary.
- The Hacker News: Microsoft Data Exposure Article
- Microsoft: MSRC Post
- SOCRadar: BlueBleed Article 1
- SOCRadar: BlueBleed Article 2
Threat Actor Activity
TeamTNT IOC's Indicate a Possible Return of the Group
Indicators captured from a TrendMicro honeypot shows activity relating back to the TeamTNT threat organization, which was reportedly out of commission in November 2021. Historically, TeamTNT was a threat group that primarily targeted cloud and container environments on a global scale. These actors would often deploy cryptocurrency miners onto the victim’s environment for their own personal usage. After about a three (3) year run, TeamTNT stated that it was ceasing operations in 2021. Recent attack patterns captured by security teams shows indications of a possible return from TeamTNT, citing known malicious IP addresses establishing connections to exposed Docker API endpoints. While this shows a plausible return from TeamTNT, security analysts remain optimistic as there is a possibility of one or more copycat organizations using previously allocated TeamTNT infrastructure to carry out similar cryptocurrency attacks. The supposed returning group has been seen deploying the XMRig cryptominer malware on compromised systems alongside ZGrab, pnscan, and massscan scripts. Some domains and filenames link back to known WatchDog indicators of compromise from previous attacks. CTIX analysts will continue to monitor activity surrounding a potential TeamTNT return and provide additional updates accordingly.
New Zero-day Apache "Text4Shell" Vulnerability Compared to the Notorious Log4j Exploit
Security researchers from Wordfence, the WordPress security plugin, have announced that a new critical zero-day vulnerability in the Apache Commons Text Library is being actively exploited in-the-wild by threat actors. The Apache Commons Text Library is a low-level addition to the Java Development Kit's (JDK) text handling, performing operations like calculating string differences, escaping, and substituting placeholders in text. The vulnerability has been coined "Text4Shell" (tracked as CVE 2022-42889) and results from insecure defaults when the library performs variable interpolation, which is the process of identifying the value of strings in code sets that contain placeholders. The flaw affects users who have direct dependencies on Apache Commons Text in their web applications that are using the string substitution feature and allowing the function to accept user inputs. A threat actor could exploit this vulnerability to set up a reverse shell with the vulnerable application via a maliciously crafted DNS or URL query payload. If successfully exploited, victims could unknowingly make a DNS query to the attacker-controlled domain at the other end of the reverse shell, potentially allowing the threat actors to breach the victim network and perform devastating follow-on attacks like remote code execution (RCE).
The flaw has been compared by some to notorious flaws like "Log4Shell" and "Spring4Shell", receiving a severe CVSS score of 9.8/10; however, many researchers have stated that this vulnerability is nowhere near as dangerous. Tenable senior research engineer Claire Tills stated that while the vulnerability has a very high CVSS score, it appears to require very specific application development practices and configurations that are uncommon. This was corroborated from vulnerability researchers in other notable organizations like Sophos, Contrast Security, Jfrog Security, and GreyNoise agreeing that this flaw is far less severe. The exploitation attempts found in the wild appear to only be scanning for the vulnerability itself. WordFence has stated that said that customers using Java version 15 and later should be safe from code execution since script interpolation is not possible. However, the DNS and URL vectors for exploiting the flaw would still work. ASF has patched this vulnerability and released an updated version of Apache Commons Text (1.10.0), and users with direct dependencies are urged to update their software to prevent exploitation. Regardless of whether this vulnerability is as severe as the CVSS score suggests or is overhyped, it is another indicator that the potential security risks stemming from open-source third-party dependencies pose a risk to web applications and their networks. CTIX analysts will continue to monitor this flaw and will provide an update with more clarity on the severity when it becomes known.
- Dark Reading: Text4Shell Article
- The Record: Text4Shell Article
- The Hacker News: Text4Shell Article
- Apache: Text4Shell Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.