Week of 4/20 Threat Report

Prior Week Threat Report - April 20, 2025

The world of cybersecurity, cloud security, and cloud data security is constantly evolving. Casmer Labs, Cloud Storage Security’s (CSS) internal threat laboratory, keeps tabs on the industry and the ever-evolving threat landscape in order to ensure that our customers (and the general public) are kept up-to-date on the most relevant security topics.

Casmer Labs’ Q1 threat report predicted that high-profile data breaches, especially due to misconfigurations, would continue to cost organizations millions of dollars in the balance of the year. In the weeks since, a multitude of serious security breaches, vulnerabilities, and incidents have been reported in the mainstream media and confirmed by Casmer Labs.

Employee Monitoring Application Exposes Millions of Screenshots

Initially discovered on February 20, 2025, an improperly configured Amazon S3 bucket owned by employee monitoring application WorkComposer enabled the general public to view millions of screenshots from their customers’ devices.

As of April 28, the total number of leaked screenshots is estimated at over 21 million, with many of these screenshots containing potentially sensitive information such as login credentials, API keys, private emails, personal and professional calendar appointments, and more. The principal risk of these leaks is the fact that screenshots and other information could result in the direct compromise of employee credentials, along with the risk of this information being used by malicious actors to supplement social engineering schemes, including phishing.

As of the publishing of this article, the Amazon S3 bucket has been appropriately secured. If your organization has used WorkComposer at any point, immediately change your passwords and enable multi-factor authentication for any accounts that could have been compromised or exposed. To prevent a similar incident from affecting your organization, take the following steps:

• Restrict Public Access & Secure Cloud Storage

• Configure strict access controls to ensure only authorized users or services can access sensitive data
• Regularly review and update permissions to minimize exposure

• Monitor & Audit Access Logs

• Continuously track access logs to detect unauthorized activity
• Conduct retrospective log analysis to identify any suspicious access patterns

• Encrypt Data at Rest & In Transit

• Enable server-side encryption to protect stored data
• Use AWS Key Management Service (KMS) or equivalent tools to securely manage encryption keys

• Automate Security Measures

• Deploy automated security checks to detect misconfigurations and vulnerabilities
• Use cloud security tools that provide real-time alerts and automated remediation

• Conduct Regular Security Audits

• Perform frequent security assessments to identify and address weak points
• Implement penetration testing to simulate potential attacks and strengthen defenses

• Train Employees on Cybersecurity Best Practices

• Educate teams on data security, phishing risks, and access control policies
• Establish clear protocols for handling and securing sensitive information

New, Simpler Malware On the Rise

Reported by Mauro Eldritch, founder of DEF CON Group 5411, a newer strain of ransomware dubbed PE32, has made waves on social media as an effective program despite its “amateur execution”.

PE32, despite the operational inexperience of its developer, exposes the poor security practices of most Windows users (and organizations, as well). Messy and untargeted encryption as well as the lack of obfuscation tactics (according to the MITRE ATT&CK matrix) are key indicators of an early-development piece of malware. However, the fact that the piece of malware has executed itself successfully on multiple occasions is even more concerning.

In Q1 of 2025, Casmer Labs predicted the further rise in popularity of infostealer malware as attackers continue to shift their focus towards data. While PE32 is not primarily an infostealer, it holds the ability to both encrypt and exfiltrate data from a victim’s local machine. As stolen data becomes more profitable to cyber actors, and the democratization of malware development continues via ransomware-as-a-service (RaaS) and malware-as-a-service (MaaS) offerings, expect more malware similar to PE32 to emerge on a consistent basis in the coming months and years.

About Cloud Storage Security

Cloud Storage Security (CSS) offers customers the ability to deploy multi-cloud, multi-account, and multi-resource malware scanning to protect the entirety of their storage suite under one console. Customers choose CSS’ solution because it:

• Offers flexible scanning models – Scan existing data on a scheduled basis, as data is written to storage repositories, or even before it is written

• Offers multiple malware scanning engines – Using multiple enterprise-grade engines reduce false positives and false negative rates

• Is simple to deploy, configure, and live with – Initial deployment can be performed in under 15 minutes. In-console quarantine, the ability to set up scanning for all storage resources in a single click, and minimal maintenance can all be performed from the console
  

Cloud Storage Security (CSS) also provides customers with flat-rate pricing based on cloud spend or no. of employees, that allows customers to:

• Apply malware protection for their entire environment, including Amazon S3, Amazon EFS, Amazon EBS, Amazon FSx, Microsoft Azure Blob Storage, and Google Cloud Buckets
• Perform periodic rescanning to meet compliance requirements and detect dormant malware

If your organization is interested in learning more about securing its storage resources, get in contact with an SME at cloudstoragesecurity.com/contact or watch an in-depth demo at cloudstoragesecurity.com.

Organizations can also try out the solution for free for 30 days in AWS Marketplace.