In today’s episode, we discuss how a developer nearly faced a $1,300 bill due to a poorly named AWS S3 storage bucket, attracting unauthorized access (https://arstechnica.com/information-technology/2024/04/aws-s3-storage-bucket-with-unlucky-name-nearly-cost-developer-1300/). We also delve into the repercussions faced by Change Healthcare after a ransomware attack due to compromised credentials and lack of MFA (https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/). Lastly, we explore a new Android malware named Wpeeper that utilizes compromised WordPress sites to conceal C2 servers, posing a threat to unsuspecting users (https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html).

00:00 Intro

00:55 Change Health Care

04:10 The High Cost of a Naming Mistake: A Developer’s AWS Nightmare

07:54 Emerging Threats: The Rise of WPeeper Malware

AWS, S3, Storage Bucket, Unauthorized Access,Change Healthcare, AlphV, ransomware, cybersecurity,Wpeeper, malware, WordPress, command-and-control

Search phrases: 1. Ransomware group AlphV 2. Change Healthcare 3. Compromised credentials 4. Multifactor authentication 5. Ransomware consequences Change Healthcare 6. Cybersecurity breach consequences 7. Security measures for cybersecurity breach prevention 8. Wpeeper malware 9. Android device security protection 10. Compromised WordPress sites protection

Change Healthcare’s CEO just testified in front of the House Subcommittee that the service they used to deploy remote desktop services did not require multi factor authentication. Which led to one of the most impactful ransomware attacks in recent history.

In other news, a very unlucky

developer in his personal time accidentally incurred over 1, 300 worth of charges on his AWS account overnight. What was this developer doing and how did it lead to such high charges in such a short amount of time?

Wpeeper Malware is utilizing compromised WordPress sites to hide its C2 servers, posing a significant threat to Android devices, with the potential to escalate further if undetected.

How can users protect their Android devices from falling victim to this malware? You’re listening to The Daily Decrypt.

The CEO of Change Healthcare, which is a subsidiary of UnitedHealthcare that was breached, it’s been all over the news, it’s all over the news. Revealed in written testimony that Change Healthcare was compromised by Ransomware Group. accessing their systems with stolen credentials. Which we all knew, but the ransomware group used these compromised credentials to remotely access a Citrix portal,

which is an application used to enable remote access to desktops.

And this portal did not require multi factor authentication.

I don’t know much about Change Healthcare’s inner infrastructure, but any portal that allows remote access to other desktops should be locked down pretty hard.

And the fact that just a simple username and password can grant access can grant all of these different desktops is pretty terrible.

And means that this attack could have likely been avoided had they enabled multi factor authentication.

So if you’re brand new to cybersecurity and you’re listening to this podcast for the first time,

you need to know that there are a few very easy things you can do to improve your posture online. Don’t reuse passwords. Step one, one of the easiest way to do that is to use a password manager and have them generate your passwords for you. Number two, enable multi factor authentication that way, if someone does come into your username and password combination, they still have to get through some sort of device based authentication, like a ping on your cell phone or something like that, to allow them to log into your account.

Now, in the case of United and Change Healthcare, one thing that they also could have done To help mitigate their negligence in not enabling multi factor authentication would be to have frequent dark web scams for any password in the system or any username in the system.

And this can all be automated. If a password that is being used to access any system in your network is found on the dark web, immediately revoke that password and require that user to create a new one.

But, that is slightly more complicated than just requiring multi factor authentication. So,

probably start there.

But, the attackers who carried out this ransomware

were able to use credentials they found on the dark web to infiltrate the networks, gain access to remote desktops, and launch their ransomware within 9 days of their entry. So, that’s pretty fast. A few years ago, that would have taken dozens of days, if not hundreds of days. The dwell time for attackers was pretty high back then.

But now, single digits. That doesn’t leave much time for defenders to find this type of attack.

But the CEO acknowledged this negligence and

shared his deep condolences for all of the patrons of Change Healthcare. The pharmacists, the doctors, a lot of work had to be put on hold For And it’s very possible that people died as a result of this breach, having to be transferred to different hospitals, etc. This is a pretty tragic thing, so if you’re in the healthcare industry, if you’re in a position of power, make sure that all your internal systems, and especially external, but definitely internal as well, have multi factor authentication enabled.

And if you want to go the extra mile, create some sort of automatic tool that probably exists online for free, that will check the dark web on a recurring basis for any passwords in your system.

A cloud developer was setting up a proof of concept for a client. And it involved creating an empty storage bucket in AWS.

The project was a document indexing system. And so this developer uploaded a couple of documents and then began working in other areas of the project. Then after two days of work, went back and checked the billing costs and found 1, 300 worth of charges. Now, if you’re not familiar with AWS and their pricing, S3 storage buckets are really cheap.

The daily decrypt is actually hosted in the S3 storage bucket and I pay less than 10 a month for all hosting. And I’m uploading audio, which is a lot larger than documents. Okay. So this bucket should have cost less than 5 a month, but after two days, There were 1300 in charges, so I really appreciate the developer sharing this story because it’s an interesting case study.

What happened? Well, the developer accidentally named the bucket the same thing that an open source software uses as a placeholder in their code. So what does that mean?

Some other company, let’s say it’s Home Depot, alright? That came up in a previous reel. Home Depot has some software that backs up their files to Amazon S3 buckets on a recurring basis.

Home Depot also has a non production version of that code that has placeholders for those S3 bucket names, such as placeholder bucket 1231 or something like that, so that when it comes time to upload their files, they replace that placeholder with the actual name of their bucket.

but That sample code is running, and it’s not doing anything because it’s attempting to backup their files to a bucket that doesn’t exist. Well, this developer lucked out and created an S3 bucket with that exact name of that placeholder, and this script now all of a sudden is trying to send all of Home Depot’s backup files to this bucket

And news to me, but AWS charges a fee, it’s like 005 cents per request. And an automated system can generate thousands of requests. Per second, like it can go very fast. So just in two days, that 0. 0005 cents per request turned into 1, 300. Now these are unexpected charges. Amazon agrees he shouldn’t have to pay for this, but

it just goes to show how careful you have to be when naming your S3 buckets, especially if they’re going to allow for public users to place files in them.

But another really important aspect of this story that I find fascinating is that the developer, once he realized what was happening, decided to open up his bucket and allow for files to be placed there.

And within 30 seconds, there were over 10 gigabytes of files placed in this bucket.

And these files belonged to another company. One that’s pretty reputable, so probably on the same lines of Home Depot. Now this developer won’t disclose that because these files are currently being backed up and there’s a huge risk for data leak, but

this developer now has the source code for all kinds of files that belong to a pretty big company.

So as a developer, make sure you name your AWS buckets, something pretty unique and maybe even add in a little suffix of random characters after anything you name.

And as developers for companies, make sure you’re not having automated scripts upload to bucket names that don’t exist because Maybe someday they will exist and all those files will go to that bucket.

The developer did reach out to the company that was affected by this and has received no response.

But we’re all hoping that the company responds and fixes their practice and hopefully shells out some money to this developer because that’s a pretty big bug

and they deserve compensation.

And finally, cybersecurity researchers have identified a new Android malware named WPeeper that utilizes compromised WordPress sites to hide its command and control servers.

And if you’ve been listening to this podcast for a while or keeping up to date on cybersecurity news, you’ll know that there’s a lot of opportunity within the WordPress framework

to compromise WordPress sites. And it would be a great place to host a command and control server.

WPPer is a binary that employs the HTTPS protocol for secure C2 communications and functions as a backdoor.

The malware disguises itself within a repackaged version of the Up to down app store for Android aiming to evade detection and deceive users into installing the malicious payload.

WPaper utilizes a complex C2 architecture that involves using infected WordPress sites as intermediaries to obfuscate its actual C2 servers with as many as 45 C2 servers identified in the infrastructure.

The malware’s capabilities involve collecting device information, updating C2 servers, downloading additional payloads, and self deleting.

And to safeguard against similar malware attacks, users are advised to download apps only from reputable sources, carefully review app permissions, and just Be careful what you click on. Stay vigilant out there against suspicious activities that may be taking place on your phone. You might notice a performance lag.

You might notice weird browsers opening up. And if you do, you might just want to restart your device, reset it.

And if you do get curious and install a scanning tool, antivirus, anti malware, et cetera, make sure you do it from a reputable source.

This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don’t forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.