AWS vulnerability and more: first officer's blog - week 31

A new AWS vulnerability, a trojanized version of Windows 10, and more. Here's our last cyber risk roundup of 2022.

Mike Parkin | December 26, 2022

First Officer’s log, Terrestrial date, 20221226. Officer of the Deck reporting.  

With a few minor exceptions, because nothing ever goes exactly to plan, the Engineering team has managed to get the Warp Core back online and we should be able to get the ship back into Warp within a few hours. Meanwhile, as our unexpected downtime coincided with an ancient cultural holiday on Earth, some of the crew decorated areas in their quarters and the ship’s lounge to celebrate. Though that did lead to a few non-Terrestrial members of the security team suggesting we go on alert in case an unauthorized visitor boarded the ship to deliver presents during the night shift of said celebration. 

We are not sure if they are joking. 

With the warp core warming up and engineering documenting everything to improve the plan in case it ever happens again and to share with other ships of our class, the security team set about determining how the drive computer was infected in the first place. 

System forensics quickly identified the malicious code and traced it back to a communication we had received shortly after leaving Frontier Station [REDACTED]. The communication in question was directed to Professor [REDACTED] and had evidently been opened by one of their assistants. The message included some encrypted data, which was not uncommon or out of the ordinary, but since it was on their personal Science Council credentials, we couldn’t run the attachment through our normal vetting process which would have assured it wasn’t somehow malicious. 

Which it was. 

The data in question looked benign at first review, but once it was processed through the initial extraction and analysis system, the malicious parts became active. It was relatively sophisticated and leveraged some known behaviors in one of the standard academic analysis tools that Professor [REDACTED] worked with. That in turn led to it communicating with other parts of the ship’s network where it found its way into the drive systems and was able to disrupt the drive. 

When asked why they had opened the attached data without running it through the standard sanitization process, they replied “well, it looked all right.” When asked who it came from, they said “a [REDACTED] we met while watching the chess tournament at the station. They were really keen on our research.” When asked whether they had vetted this curious researcher, they replied “Well, no. But they looked OK!” 

While it would take some time to trace back the origin of the original transmission and the unknown “research fan” who’d gained their trust, we at least knew how to deal with the immediate situation. 

As for the Professor and their assistants, we’d let their academic institution handle the lack of security-specific education.  

And this is why they said to not trust warez sites 

What happened 

A trojanized version of Windows 10 was found on a popular Eastern European Torrent site, apparently targeting users in Ukraine. The malware in the infected iso stole data from victims who installed Windows using the file. Several entities within the Ukrainian government were infected. While there is no confirmation of which threat actor is responsible, there is supposition that the threat actor is associated with Russia’s GRU. 

Why it matters 

While technically illegal, it’s still common practice in some areas to use unlicensed, cracked, or otherwise illegitimate versions of operating systems and applications, even in government organizations. The reasons can range from not being able to justify a purchase for a very short project – the “I only need it to do this one thing” situation – to the product simply being too expensive for the available budget. In some cases, the application may not even be officially available in the region, which leaves an illegal download the only option. While legally and ethically questionable, sometimes the need outweighs the right and wrong. 

This can lead to widespread use of copied software of dubious providence, in turn leading to the very real risk of installing pre-infected applications. Threat actors know this is happening and take full advantage of the situation. 

The bottom line? Don’t get cracked software from torrent sites and expect it to be clean. 

What they said 

With Windows in such common use, it’s no surprise to see this story getting attention

No good deed goes unpunished, or good feature unabused 

What happened 

Threat actors have found a way to abuse an Amazon Web Services feature that lets AWS users easily move IP addresses between accounts. While designed to improve portability and usability, threat actors could use the feature to migrate IP addresses to their control and then use the stolen addresses to bypass IP-based security features such as access control lists or IP filters. 

Why it matters 

If you build it, they will come. And then someone will abuse it because that’s what people do. While this is a legitimately useful feature AWS added, and there are some effective use cases for it, it is a feature threat actors can easily abuse for their own gains. 

The deeper issue is using IP addresses alone for security. While relying on IP addresses for filtering or other functionality does have some real utility, it’s not a sure thing. There are simply too many ways that relying on IP addresses alone won’t deliver the required security. 

There are ways AWS users can minimize the risk of having this feature abused with their address space, which they should probably implement sooner rather than later. 

What they said 

An AWS vulnerability was always bound to get people talking.

AWS vulnerability

Threat actors don’t take time off for the holidays 

What happened 

The holiday season can be a lucrative time for threat actors, as many organizations are not well prepared to deal with a cybersecurity incident during this period. With many security operations personnel taking time off, and some organizations operating with minimal staff overall, threat actors have an opportunity to engage while their targets are apt to offer minimal resistance.  

Why it matters 

Depending on where you are, the end-of-year period can be challenging. For many people, work takes a back seat to the family for a couple of weeks and many people are taking time away from work to celebrate, relax, or just get away from the office. In some cases, the entire company may shut down for the week between Christmas and New Year. 

That often means security operations, IT, and other departments responsible for securing and maintaining the environment are either running with a skeleton crew or are focused on the end-of-year maintenance window. That’s why it’s essential to be prepared before the end of year period hits. 

Of course, this is being published on the 26th, the day after a major holiday, so hopefully, you already have everything in place in case something happens between now and the new year, or already happened over the weekend. 

What they said 

The potential of a big cyber event has certainly sparked some concern

Shout outs this week

To our very own Tal Morgenstern 

To Vulcan Cyber itself for making the list.


Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel

AWS vulnerability

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy