Connect with us

Cyber Security

Group-IB Claims it Identified 308,000 Exposed Public-Facing Databases in 2021

Published

on

Group-IB claims that it carried out a deep dive into exposed digital assets discovered in 2021. During the research, Group-IB’s Attack Surface Management team analyzed instances hosting internet-facing databases. The findings showed that in the second half of 2021, the number of public-facing databases increased by 16% to 165,600 with most of them stored on the servers in the US. The number of databases exposed to the open web has been growing every quarter to reach its peak of 91,200 in Q1 2022.

Group-IB Attack Surface Management continuously scans the entire IPv4 and identifies external-facing assets, hosting for example, exposed databases, malware or phishing panels, and JS-sniffers. Corporate digital assets that are not properly managed undermine security investment and increase the attack surface, Group-IB experts warn.

“A public-facing database doesn’t necessarily mean it has been compromised or leaked with malicious intent. In most cases, internet-facing databases are an overlooked digital asset that has been misconfigured and thus unintentionally exposed to the open web. We want to underline that unsecured Internet-facing databases pose great risks if the attackers access them before the company finds it is forgotten or poorly protected asset,” Group-IB said.

In the UAE, 111 databases were exposed to the open web between Q1’21 – Q2-’22, while 372 databases were exposed in KSA. The consequences of an exposed database range from a data breach to a subsequent follow-up attack on the employees or customers whose information was left unsecured.

As the pandemic progressed with more people having to work from home, corporate networks kept getting more complex and extended. This inevitably led to an increase in the number of public-facing assets that were not inventoried properly. According to IBM, the average cost of a data breach increased from USD 3.86 million to USD 4.24 million last year. In many cases, a data breach starts with a preventable security risk, such as a database exposed to the open web.

As such, in 2021 alone, the Group-IB Attack Surface Management team identified 308,000 incidents of databases exposed to the open web.

When it comes to the management of high-risk digital assets, timely discovery plays a key role as threat actors are quick in spotting a chance to steal sensitive information or advance further in the network. According to the Attack Surface Management team’s findings, in the first quarter of 2021, it took an average of 170.2 days for an exposed database owner to fix the issue. The average time was decreasing gradually over 2021, but it climbed back to the initial value of 170 in the first quarter of 2022.

Country-wise, last year, most of the databases exposed to the open web were discovered on the servers located in the US.

“A lot of the security incidents can be prevented with very little effort and a good toolset,” comments Tim Bobak, Attack Surface Management Product Lead at Group-IB. “Last year, over 50% of our incident response engagements stemmed from a preventable, perimeter-based security error. A public facing database, an open port, or a cloud instance running vulnerable software are all critical but ultimately avoidable risks. As the complexity of corporate networks keeps growing, all the companies need to have complete visibility over their attack surface.”

Cyber Security

ESET Research Uncovers Iran-Aligned BladedFeline Spying on Iraqi, Kurdish Officials

Published

on

The Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign, according to ESET researchers. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline’s evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.

Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.

Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group’s strategic focus on persistence and stealth within targeted networks.

BladedFeline has consistently worked to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.

ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.

In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.

ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.

Continue Reading

Cloud

SentinelOne Simplifies Secure Cloud Migrations on AWS

Published

on

SentinelOne today announced its participation in the Amazon Web Services (AWS) Independent Software Vendor (ISV) Workload Migration Program. This initiative supports AWS Partner Network (APN) members with SaaS offerings on AWS to accelerate and streamline workload migrations.

Through the program, SentinelOne will provide AWS customers with accelerated, secure cloud migration support, leveraging modern AI-powered CNAPP capabilities to ensure rapid and protected transitions. With access to AWS funding, technical resources, and go-to-market support, SentinelOne will help organizations reduce migration timelines and costs while maintaining robust security.

SentinelOne’s Singularity Cloud Security delivers real-time visibility and protection throughout the migration journey—whether from on-premises or another cloud—enabling a secure, seamless transition to AWS.

“Through our participation in the AWS ISV Workload Migration Program, SentinelOne is helping customers accelerate secure cloud migrations with end-to-end protection and visibility,” said Ric Smith, President of Product, Technology, and Operations at SentinelOne. “Whether moving from on-prem or another cloud to AWS, organizations can count on us to deliver the security they need throughout their journey—realizing the performance, speed, agility, and cost benefits of the cloud.”

Singularity Cloud Security combines agentless and agent-based protection for deep visibility, continuous posture management, and real-time threat detection across hybrid and multi-cloud environments. By collaborating with AWS and ecosystem partners, SentinelOne ensures seamless integration into migration projects, helping customers move faster, reduce risk, and scale confidently in the cloud.

Availability: SentinelOne’s solutions are available globally.

Continue Reading

Cyber Security

Beyond Blocklists: How Behavioural Intent Analysis Can Safeguard Middle East Businesses from Rising AI-Driven Bot Threats

Published

on

The Middle East is facing an unprecedented surge in AI-driven bot attacks, with malicious automation now outpacing traditional defenses. Mohammad Ismail, Vice President for EMEA at Cequence Security, warns that legacy tools like IP blocklists and rate limiting are no match for today’s sophisticated threats (more…)

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.