Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

Welcome to Scaleway's Trust Center. We strive to include security in each and every aspect of our business. You will find in this Trust Center information and documentation to attest our actions towards delivering a safe and secure Cloud service.

Bienvenue sur le Trust Center de Scaleway. Nous nous efforçons d'inclure la sécurité dans tous les aspects de notre activité. Vous trouverez dans ce Trust Center des informations et de la documentation qui attestent des actions entreprises pour garantir la sécurité de nos services.

Start your security review
View & download sensitive information
Ask for information

Documents

ISO 27001

Trust Center Updates

Ebury

VulnerabilitiesCopy link

Definition

Ebury is a sophisticated malware and SSH backdoor that targets Linux and Unix systems. Its first goal is to compromise SSH credentials to create persistent and malicious system access. This backdoor allows the attacker to: Steal SSH credentials and use them elsewhere to continue to comprise systems;

  • Create persistent remote access on systems;
  • Execute arbitrary code on infected systems.
  • Ebury has been used in various contexts in terms of cybersecurity and is known for its ability to remain undetected for extended periods. Thus, it is a significant threat to compromise networks.

How it works

After getting access to a system with stolen or forced credentials, Ebury will modify legitimate SSH binaries to obtain more credentials for each connection. Those stolen credentials are then sent to the attackers. Also, those attackers can use a backdoor planted by Ebury to control the system without more authentication. The malware stays undetected by using advanced stealth techniques and modifying critical system binaries.

Impact

Ebury has a significant impact in terms of security:

  • It allows attackers to get critical information.
  • It allows attackers to control an unauthorized system.
  • It can propagate easily.
  • It is hard to detect.

The remediation is very heavy regarding time, work, and finance.

Mitigation

To mitigate Ebury, you should follow those good security practices:

  • Instead of using only a password to connect to a system with SSH, you should use a key-based authentication. Also, you should use a TOTP to complement the key-based authentication.
  • Monitor SSH connections on your system.
  • Monitor logs and network traffic to prevent malicious behaviors.
  • Isolate infected systems.

By securing SSH access, you may prevent Ebury from infecting your system.

Detection

Several actions must be taken to detect Ebury:

  • Your system should be monitored as much as possible, security-wise. Alerts should be raised when critical files are reached, and strange behaviors are detected.
  • If you suspect Ebury to live on a system, you must analyze the running processes: strange processes can run. Remember that Ebury uses advanced stealth techniques, so this step may not give answers.
  • As said before, Ebury will send the collected information to the attackers. This will generate network traffic, which should be monitored. You can use various tools to check kernel extensions. Tools like “rkhunter” allow one to search for rootkits and may give information about Ebury on the scanned system.
  • You can use the dedicated detection script written by ESET, which you can find here: https://github.com/eset/malware-research/tree/master/ebury.

You may detect Ebury on your system using all the previous steps.

Resolution

The resolution for this malware is heavy. If your system is infected, you must:

  • Isolate it as fast as possible to prevent propagation.
  • Please change your credentials, keys, and certificates. The previous ones may have been sent to attackers, making them obsolete.
  • Backup your important files.
  • Reinstall the OS and restore your data.
  • Follow the mitigation steps to avoid another infection.

There is no “easy and fast” way to resolve this problem: the infected system must be erased and replaced by a fresh one.

Conclusion

Ebury is an advanced malware that modifies legitimate OpenSSH binaries to get credentials and to get unauthorized access to systems. Ebury has a very large impact, being hard to detect and present for many years. Good security practices such as MFA, key-based authentication, and system security monitoring must be followed to mitigate this threat. If a system is infected, the recovery process can be heavy regarding time and work: it implies erasing the OS and reinstalling the system.

Documentation

Published at N/A*

Phishing Campaign against Webhosting Customer - May 2024

IncidentsCopy link

Dear All,

On the 21st of May 2024, our Trust & CSIRT Teams have detected a minimal number of customers from our offer « Webhosting » were targeted using a mix of some fuzzing methods.

The threat actor attempted to retrieve credit card information by simulating a fake invoice payment page and credential account information.

Scaleway will never request payment through an email link. As always, if there is an issue with your payment, you will receive a message informing you about the situation.

We took the necessary actions, including reaching out to the provider hosting the threat actor’s website and stopping all reception from those illicit senders to avoid impacting our customers.

If you have any doubts about an email supposedly sent by Scaleway, we invite you to contact our technical assistance, available 24/7, by opening a ticket.

You can also take a look at our documentation about how to identify a suspicious email: https://www.scaleway.com/en/docs/console/account/troubleshooting/protecting-yourself-fraud-phishing/.

If you have entered information in response to an email from a phishing campaign, we encourage you to contact support as soon as possible.

We strongly recommend that all our customers activate 2FA on their account; they can follow the steps with this documentation: https://www.scaleway.com/en/docs/dedibox-console/account/how-to/enable-two-factor-authentication/

Published at N/A

Backdoor inside the XZ utils package - CVE-2024-3094

VulnerabilitiesCopy link

Backdoor inside the XZ utils package - CVE-2024-3094

Scaleway internal infrastructures were not concerned by this vulnerability

On the 29th of March 2024, a backdoor was discovered in the XZ utils packages.

The package contains an obfuscated code that installs a backdoor to interfere with the SSH authentication requests that could grant access to a malicious actor.

The package versions affected are 5.6.0 and 5.6.1, mostly present in testing/unstable/experimental versions of OS.

Here is a list of concerned OS:

The only OS that might be affected on Scaleway Instance/Baremetal/Dedibox offers is ArchLinux

Follow the security announcement from your OS to know if you're concerned and how to patch it. In most of the time, it is highly recommended to update/downgrade the xz package.

Published at N/A*

VMware ESXi multiple vulnerabilities - 05th March 2024

VulnerabilitiesCopy link

The Scaleway internal infrastructure was not impacted by these vulnerabilities.

On the 05th of March 2024, VMware communicated on multiple vulnerabilities that impact their products. The VMware ESXi solution is impacted and must be patch as soon as possible if you are using it.

This is a summary of the potential risk:

CVE-2024-22252 & CVE-2024-22253 (CVSSv3 8.4) - Use-after-free vulnerability in XHCI USB controller: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox

CVE-2024-22254 (CVSSv3 7.9) - ESXi Out-of-bounds write vulnerability: A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.

CVE-2024-22255 (CVSSv3 7.1) - Information disclosure vulnerability in UHCI USB controller: A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

To remediate these flaws, you can apply the following patch:

ESXi 8 - Apply one of these patch:

  • ESXi80U2sb-23305545
  • ESXi80U1d-23299997

ESXi 7 - Apply the following patch:

  • ESXi70U3p-23307199

ESXi 6.7 / 6.5:

  • if you subscribed to the extended support plan, you can apply:
    • ESXi670-202403001 for the 6.7 version
    • ESXi650-202403001 for the 6.5 version
  • If you didn't, You must migrate to either 7 or 8 version to patch it.

More information at : https://www.vmware.com/security/advisories/VMSA-2024-0006.html

Published at N/A*

If you need help using this Trust Center, please contact us.

Powered bySafeBase Logo