Dell Embraces Multi-cloud + Hackers use stolen OAuth access tokens to breach

May 11, 2022

This week’s news is brought to you by JupiterOne

  • Dell is a name quite well known in the computer technology space but not one we hear much about in the Cloud space, well that may be about to change. Dell Technologies is hosting its largest in-person event in years with Dell Technologies World 2022 in Las Vegas this week. In his keynote remark CEO of Dell, Michael Dell shared the battle over on-premise versus off-premise is over. “The future is multi-cloud and channel partners will be front and center in the multi-cloud world.
  • Given the conversations we have been having on Cloud Security Podcast and Cloud Security News, we certainly tend to agree with this, would be keen to hear if you do too? 
  • Dell shared that they are embracing high levels of automation, making our infrastructure programmable to fully support containers and modern applications with developer requirements like Kubernetes, Tanzu, and OpenShift.
  • They are also embracing multicloud in a big way sharing that “90 percent of customers already have both on-prem and public cloud environments, and 75 percent are using three or four different clouds.” Dell launched two new offerings in partnership with cloud leaders AWS and Azure –  Dell PowerProtect Cyber Recovery for Microsoft Azure and  AWS. It would be really interesting to see what Dell can bring to the world on Cloud and multicloud. You can read more about their event and announcements here.
  • Most of our listeners are familiar with Github which is a popular code hosting platform for version control and collaboration. GitHub has shared details of the incident where hackers, using stolen OAuth tokens, downloaded data from private repositories. They shared that the attacker authenticated to the GitHub API using the stolen OAuth tokens issued to Heroku and Travis CI. The pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information GitHub have directly notified each affected user for whom they were able to detect abuse using the stolen OAuth tokens and have advised that Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications. You can find the details of their investigation here 
  • This week Heroku shared an update noting that they had no evidence of any unauthorized access to Heroku systems since April 14, 2022. They confirmed that the threat actor had access to encrypted Heroku customer secrets stored in configuration variable, the secrets are encrypted at rest and the threat actor did not access the encryption key necessary to decrypt configuration variable secrets. You can read their updates here.
  • Microsoft has announced the general availability (GA) of the stand-alone version of Microsoft Defender for Business. According to microsoft, Defender for Business brings enterprise-grade endpoint security to SMBs, including endpoint detection and response capabilities to protect against ransomware and other sophisticated cyberthreats. In their blog they shared that “​​comes with built-in policies to get customers up and running quickly. The automated investigation and remediation capabilities in Defender for Business help automate the type of work handled by dedicated SecOps teams, by continuously detecting and automatically remediating various threats.” Microsoft offers Defender for Businessincluded in Microsoft 365 Business Premium for businesses with up to 300 employees but customers can also choose to buy it stand-alone for $3 per user, per month. Is Microsoft Defender you are currently using or looking to use? 
  • It’s been a busy year for security researchers as a few vulnerabilities have been found this year and appropriately reported and remedied for the greater good of us all. We have spoken about Wiz a few times on Cloud Security News + to know more about them you can check out some of our prev episodes. Wiz has recently discovered a chain of critical vulnerabilities in the widely used Azure Database for PostgreSQL Flexible Server. Dubbed #ExtraReplica, this vulnerability allows unauthorized read access to other customers’ PostgreSQL databases, bypassing tenant isolation. If exploited, a malicious actor could have replicated and gained read access to Azure PostgreSQL Flexible Server customer databases. Wiz Research disclosed ExtraReplica to Microsoft in January 2022. Microsoft confirmed that the issue has been fully mitigated, and no action is required by Azure customers. They added that they are not aware of any attempts to exploit this vulnerability.This vulnerability did not affect Single Server instances or Flexible servers with the explicit VNet network configuration (Private access), according to Microsoft. Microsoft did not provide how many customers or databases were vulnerable. Read more about this vulnerability here.
  • Orca Security’s Researcher has reported a critical vulnerability in Azure Synapse which they have named SynLapse. According to Orca, this vulnerability allows an attacker to access and control other customers’ Synapse workspaces, and leak sensitive data stored in the service including Azure’s service keys, API tokens, and passwords to other services. Orca has confirmed on their blog that Microsoft has since implemented additional mitigation measures that make exploitation much harder. Unfortunately, their research leads them to believe that the underlying architectural weakness is still present. You can read more about this vulnerability and Orca’s statements here
  • Whilst on the topic of vulnerabilities – Assetnote have found a  server-side request forgery (SSRF) bug in VMWare Workspace One Unified endpoint management. It’s a security vulnerability in a mobile device management software that could allow attackers access to organizations’ internal and cloud networks and risk exposure of risk credentials and other sensitive data. They shared in their blog that they discovered a pre-authentication vulnerability that allowed them to make arbitrary HTTP requests, including requests with any HTTP method and request body. In order to exploit this SSRF, they reverse engineered the encryption algorithm used by VMWare Workspace One UEM. Assetnote reported these finding to VMware and VMware remediated it. You can read about Assetnote’s discovery here and VMware’s response here.

Recommend a topic

Partner with us

Join the team

Enjoying our content? Don't forget to subscribe!