Category Archives: AWS

Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets

The Magecart continues to target websites worldwide, it infected over 17,000 domains by targeting improperly secured Amazon S3 buckets. 

The Magecart gang made the headlines again, according to a new report published by RiskIQ, it has infected over 17,000 domains by targeting improperly secured Amazon S3 buckets

A few days ago, security experts at Sanguine Security have uncovered a new large-scale payment card skimming campaign that already hacked 962 online stores running on the Magento CMS. Security expert Micham spotted another attack attributed to the Magecart gang, hackers injected a skimmer script in the The Guardian via old AWS S3 bucket and exploiting wix-cloud[.]com as a skimmer gate.

According to RiskIQ, since April 2018, Magecart hackers adopted a new tactic that relies on misconfigured Amazon S3 buckets. These buckets allow anyone with an active Amazon Web Services account to read or write them.

“However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets.” reads the analysis published by RiskIQ. “These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.”

The attackers scan the web for misconfigured buckets containing any JavaScript files, then download the files, modify them by appending the skimming code to the bottom, and overwrite the script on the bucket.

RiskIQ experts believe threat actors have already compromised a large number of S3 buckets affecting over 17,000 domains, including websites in the top 2,000 of Alexa rankings.

“However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment.” concludes RiskIQ.

“Perhaps most importantly, the widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets.”

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify​​

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

The post Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets appeared first on Security Affairs.

Migrating Network Protection to the Cloud with Confidence

For modern organizations, speed and agility is the key to success – built on enhanced IT efficiency and performance driven by the cloud. Anything less could see your business outpaced by the competition. As always, security must be a priority when migrating to the cloud, but network teams are being let down by existing tools. Overwhelmed by this challenge, our TippingPoint customers came to us asking for an equivalent product for their AWS environments. So we went away and built one.

Cloud Network Protection is the first transparent, in-line network security offering for AWS customers: simple to deploy and manage, cloud-ready and leveraging our industry leading expertise in network threat protection.

Let down by legacy

According to the cloud’s shared responsibility model, network security teams are increasingly being tasked with extending security into the cloud. But current offerings in the market simply aren’t capable of supporting their requirements. They’re complex, expensive and introduce extra friction.

Our TippingPoint customers came to us with a range of gripes. They felt existing network security solutions are simply not engineered with cloud environments in mind. In fact, some need to be rearchitected to function at all in the cloud. Often, these incompatibilities lead to business disruption: by causing app and network downtime while network security is deployed and/or slowing down the speed of DevOps on an ongoing basis. In many cases, customers complained of having to use multiple tools to manage security for different networks in the hybrid cloud – adding extra cost and complexity and creating potential security gaps through misconfigured solutions.

These challenges impair their ability to meet key compliance requirements like HIPAA and GDPR. Responding to internal and external audit requests also became more difficult. At the same time as these strategic challenges, network security teams wanted to meet day-to-day requirements such as blocking requests to specific domains.

A new approach

Taking all this on board, we set about designing a network-based solution to handle the scale and performance demands of the cloud, without introducing extra friction to operations. We did this by tapping the power of the AWS Transit Gateway, a service that enables customers to connect all their Virtual Private Clouds (VPCs) and on-premises networks via a single, centralized gateway.

The resulting Cloud Network Protection solution is deployed transparently into the network fabric, providing visibility and control where network security teams need it most whilst avoiding application disruption and the need to rearchitect. By extending our TippingPoint capabilities into the cloud, we offer organizations multiple benefits including:

Consistent network security: Allowing teams to use existing TippingPoint security profiles in the cloud and on-premises.

Centralized SMS management: Complete visibility and control using the familiar Security Management System (SMS).

Simplified deployment: Minimizes friction by sliding seamlessly into the cloud network fabric.

Industry leading security: Including network-based virtual patching, and zero-day protection backed by the Zero Day Initiative bug bounty program. All whilst avoiding business disruption.

Nearly three-quarters (73%) of organizations had at least one application in the cloud as of last year – with a further 17% planning to do so within the next 12 months, according to IDG. As they migrate these business-critical apps, network security teams are demanding effective, cloud-ready tools that offer maximum protection without impacting performance. Fortunately, now they have one.

The post Migrating Network Protection to the Cloud with Confidence appeared first on .

Happy Birthday

Nineteen years ago this week I registered the domain

Creation Date: 2000-07-04T02:20:16Z

This was 2 1/2 years before I started blogging, so I don't have much information from that era. I did create the first Web site shortly thereafter.

I first started hosting it on space provided by my then-ISP, Road Runner of San Antonio, TX. According to, it looked like this in February 2002.

That is some fine-looking vintage hand-crafted HTML. Because I lived in Texas I apparently reached for the desert theme with the light tan background. Unfortunately I didn't have the "under construction" gif working for me.

As I got deeper into the security scene, I decided to simplify and adopt a dark look. By this time I had left Texas and was in the DC area, working for Foundstone. According to, the site look like this in April 2003.

Notice I've replaced the oh-so-cool picture of me doing American Kenpo in the upper-left-hand corner with the classic Bruce Lee photo from the cover of The Tao of Jeet Kune Do. This version marks the first appearance of my classic TaoSecurity logo.

A little more than two years later, I decided to pursue TaoSecurity as an independent consultant. To launch my services, I painstakingly created more hand-written HTML and graphics to deliver this beauty. According to, the site looked like this in May 2005.

I mean, can you even believe how gorgeous that site is? Look at the subdued gray TaoSecurity logo, the red-highlighted menu boxes, etc. I should have kept that site forever.

We know that's not what happened, because that wonder of a Web site only lasted about a year. Still to this day not really understanding how to use CSS, I used a free online template by Andreas Viklund to create a new site. According to, the site appeared in this form in July 2006.

After four versions in four years, my primary Web site stayed that way... for thirteen years. Oh, I modified the content, SSH'ing into the server hosted by my friend Phil Hagen, manually editing the HTML using vi (and careful not to touch the CSS).

Then, I attended AWS re:inforce the last week in June, 2019. I decided that although I had tinkered with Amazon Web Services as early as 2010, and was keeping an eye on it as early as 2008, I had never hosted any meaningful workloads there. A migration of my primary Web site to AWS seemed like a good way to learn a bit more about AWS and an excuse to replace my teenage Web layout with something that rendered a bit better on a mobile device.

After working with Mobirise, AWS S3, AWS Cloudfront, AWS Certificate Manager, AWS Route 53, my previous domain name servers, and my domain registrar, I'm happy to say I have a new Web site. The front page like this:

The background is an image of Milnet from the late 1990s. I apologize for the giant logo in the upper left. It should be replaced by a resized version later today when the AWS Cloudfront cache expires.

Scolling down provides information on my books, which I figured is what most people who visit the site care about.

For reference, I moved the content (which I haven't been updated) about news, press, and research to individual TaoSecurity Blog posts.

It's possible you will not see the site, if your DNS servers have the old IP addresses cached. That should all expire no later than tomorrow afternoon, I imagine.

Let's see if the new site lasts another thirteen years?

Using Amazon Web Services? Cisco Stealthwatch Cloud has all your security needs covered

Like many consumers of public cloud infrastructure services, organizations that run workloads in Amazon Web Services (AWS) face an array of security challenges that span from traditional threat vectors to the exploitation of more abstract workloads and entry points into the infrastructure.

This week at AWS re:Inforce, a new feature for AWS workload visibility was announced – AWS Virtual Private Cloud (VPC) Traffic Mirroring.  This feature allows for a full 1:1 packet capture of the traffic flowing within and in/out of a customer’s VPC environment.  This allows for vendors to provide visibility into the entire AWS traffic, and the ability to perform network and security analytics.  Cisco Steathwatch Cloud is able to fully leverage VPC Traffic Mirroring for transactional network conversation visibility, threat detection and compliance risk alerting.

Stealthwatch Cloud is actually unique in that we have had this level of traffic visibility and security analytics deep within an AWS infrastructure for a number of years now with our ability to ingest AWS VPC Flow Logs. VPC Flow Logs allow for a parallel level of visibility in AWS without having to deploy any sensors or collectors. This method of infrastructure visibility allows for incredibly easy deployment within many AWS VPCs and accounts at scale in a quick-to-operationalize manner with Stealthwatch Cloud’s SaaS visibility and threat detection solution. In fact, you can deploy Stealthwatch Cloud within your AWS environment in as little as 10 minutes!

Additionally, we are seeing that the majority of customer traffic in, out and within a VPC is encrypted. Stealthwatch Cloud is designed from the ground up to assume that the traffic is encrypted and to model every entity and look for threats leveraging a multitude of data points regardless of payload.

Stealthwatch Cloud takes the AWS visibility and protection capability even deeper by leveraging the AWS API to retrieve a wide array of telemetry from the AWS backend to tell a richer story of what’s actually going on throughout the AWS environment, far beyond just monitoring the network traffic itself. We illuminate API keys, user accounts, CloudTrail audit log events, instance tags, abstract services such as Redshift, RDS, Inspector, ELBs, Lambdas, S3 buckets, Nat Gateways and many other services many of our customers are using beyond just VPCs and EC2 instances.

Here is a screenshot from the customer portal with just a sample of the additional value Stealthwatch Cloud offers AWS customers in addition to our network traffic analytics:

The following screenshot shows how we are able to extend our behavioral anomaly detection and modeling far beyond just EC2 instances and are able to learn “known good” for API keys, user accounts and other entry points into the environment that customers need to be concerned about:

Combine this unique set of rich AWS backend telemetry with the traffic analytics that we can perform with either VPC Flow Logs or VPC Traffic Mirroring, and we are able to ensure that customers are protected regardless of where the threat vector into their AWS deployment may exist – at the VPC ingress/egress, at the AWS web login screen or leveraging API keys.  Cisco is well aware that our customers are using a broad set of services in AWS that stretch from virtual machines to serverless and Kubernetes.  Stealthwatch Cloud is able to provide the visibility, accountability and threat detection across the Kill Chain in any of these environments today.

Try today!

Interested in Cisco Stealthwatch Cloud? You can try it today with our no-risk, 60-day free trial. To sign up, click here or visit us on the AWS Marketplace.



AWS re:Inforce 2019 re:Cap

A wide angle shot of the conference registration desk for AWS re:Inforce with an endcap wall in a slight teal blue saying, "Welcome to AWS re:Inforce"

The inaugural AWS Cloud security conference—AWS re:Inforce—was held in Boston this week. Well over 8,000 attendees descended on the Boston Convention and Exhibition Center for two days jammed packed with security education and cloud content.

This was a very interesting conference because the dynamics of the attendees felt very different from typical AWS events. Usually at an AWS event, security teams are the odd people out. Making up a small portion of the attendees. At re:Inforce, the script flips and it seemed that the majority of attendees are in primarily security roles.

That’s great news for the show and for the community in general. Everyone in attendance and online was eager to learn about AWS Security Services, offers from AWS APN Partners, and what works—and what doesn’t—when it comes to securing cloud deployments.


As with any AWS event, there were a number of announcements that covered new features and functionality. We didn’t get any new services but the size of these features makes up for that. Here’s my quick take on each of the major announcements and how it might be useful for you.

AWS Security Hub Goes GA

AWS Security Hub was first announced as a preview at AWS re:Invent 2018. This tool helps consolidate security information into one place. Data from various AWS Security Services (like Amazon GuardDuty, Amazon Macie, and Amazon Inspector) and from various AWS APN Partners feeds into Security Hub in order to highlight compliance issue and various security findings.

That term is key. A finding isn’t a log entry or an event or even an incident (as defined in infosec). A finding is generated by one of the security tools and is likely to start a security or compliance incident.

The goal of Security Hub is to make security data more visibility and actionable. It is not a replacement for a SIEM or a team of analysts. It is a fantastic tool to help highlight security issues with other teams.

Read more from Brandon West over on the AWS Blog.

AWS Control Tower Comes Out Of Preview

This service helps you to create strong, well-architected baselines for new AWS accounts within your organization. Control tower works with landing zones a concept first brought to the forefront at AWS re:Invent 2018.

Multi-account strategies are common within larger organizations and there are a number of security benefits to the approach if is well managed. The challenge is standardizing settings, configuration, and policy across accounts.

This is where AWS Control Tower comes into the picture. Working with AWS Organizations, AWS IAM, AWS Config, AWS CloudTrail, and AWS Service Catalog, you can configure what every new account within your organization should look it. This helps ensure that all of your teams are setup for success.

Read more from Jeff Barr.

VPC Traffic Mirroring

Up until now, you’ve only been able to glimpse at what’s going on with the network traffic in your VPC using AWS native features. The VPC Flow Log functionality provides the basics of source, destination, and size of traffic but actual packet analysis requires a better source of flow data.

VPC mirroring does exactly as promised, leveraging the AWS network layer to mirroring specific targets, sessions, or filters in order to analyze that traffic in another tool.

This can be helpful in network forensic analysis, troubleshooting, or operational analysis.

Jeff Barr has a walk through of the feature on the AWS Blog.

AWS Incident Response Whitepaper

Though published a few weeks before the event, AWS is highlighting the new AWS Security Incident Response Whitepaper. This paper helps security teams understand how traditional incident response maps to the AWS Cloud.

It’s a well-written, practical paper that can help teams understand how a process they are familiar with, changes in a new environment like the AWS Cloud.

Get an overview from Joshua Du Lac over on the AWS Security Blog.

AWS Marketplace Procurement System Integration

During the AWS re:Inforce keynote, Stephen Schmidt announced a new AWS Marketplace integration for existing procurement systems. On first blush, this seems like an odd feature to call out at a security conference.

But security is always a critical question in any enterprise sales engagement and procurement headaches abound. The AWS Marketplace can address some of those headaches.

This new integration (initially with Coupa and others via cXML) will make it easier for some enterprises to test and acquire new technologies, reducing the barrier to acquire new security tools.

Read more in the AWS Marketplace documentation.

What’s Next

At the end of the keynote, Stephen Schmidt announced that AWS re:Inforce will be held again next year, this time in Houston. That’s fantastic news as shows that AWS acknowledges that security is a critical pillar of well-built cloud deployments and that the community is strong enough to support events of this size dedicated to the topic.

The breakouts sessions from the show were recorded and are being posted to the AWS YouTube channel, the day 1 keynote by AWS CISO Stephen Schmidt has already been posted so you can start catching up now.

I did a take over on the Trend Micro LinkedIn page and went live twice during the show. Check that out for a bit of an insiders view and—as always—ping me on Twitter, where I’m @marknca to talk more about this and cloud security in general.

The post AWS re:Inforce 2019 re:Cap appeared first on .