During our class, we discussed the various cloud service models. While Amazon (AWS), Microsoft (Azure), and Google Cloud services are secure, research a published article, and describe how cloud infrastructure has been compromised. Was the failure due to the cloud provider, cloud consumer, cloud carrier, or a cloud broker? How does this information benefit an ethical hacker?
Week 11 Slide Handouts
https://www.securitymagazine.com/articles/96064-azurescape-attack-allows-cross-container-cloud-compromise
The Unit 42 Threat Intelligence team has identified the first known vulnerability that could enable one user of a public cloud service to break out of their environment and execute code on environments belonging to other users in the same public cloud service. The team found an unprecedented cross-account takeover affected Microsoft’s Azure Container-as-a-Service (CaaS) platform. The vulnerability was named Azurescape because the attack started from a container escape – a technique that enables privilege escalation out of container environments.
According to the researchers, “Azurescape allows an ACI user to gain administrative privileges over an entire cluster of containers. From there, the user could take over the impacted multitenant clusters to execute malicious code, steal data or sabotage the underlying infrastructure of other customers. The attacker could gain complete control over Azure’s servers that host containers of other customers, accessing all data and secrets stored in those environments.” It sounds like this was an issue from the cloud provider who failed to upgrade to the latest version of runC – a lightweight, universal container runtime and a command-line tool for spawning and running containers.
Hi Eugene,
Azure has seen several vulnerabilities since its existence, from lack of upgrades to third-party tool integrations. Azure has a focus on protecting user data, but the tools seem to have vulnerabilities that often get exposed. Goes to show that public cloud providers are really not any safer than locally hosted data warehouses.
Yes the big 3 cloud provides AWS, GCP and Azure are known to be secure, but like any other server/application, there are vulnerabilities. Azure’s Cosmos DB left more than 3000 customers open to complete unrestricted access by attackers as stated in the article. This vulnerability existed when Microsoft added Juypter notebook to Cosmos DB. This flaw is on the cloud provider’s side, with the intention of adding a useful tool to their already extensive toolbox they opened one of the worst possible vulnerabilities. Cosmos DB is the main database in Azure where customers hold the majority of their data to perform analytical processing.
Hi Dhaval,
I appreciate your in-depth analysis of this breach. It demonstrates a shared problem that is always a risk when dealing with 3rd-party vendors or during acquisitions/mergers. Until the deal is done, nobody is keen on sharing vulnerabilities or potential issues.
Recently, a major men’s clothing retailer, Bonobos, experienced a data breach exposing the PII of over 7 million customers, which included various pieces of information like the last 4 digits of credit card numbers, address, account information including password histories, and phone numbers. This data was found on a hacker forum given away for free! The breach occurred at the fault of the cloud provider presumably although it has not revealed by Bonobos. They indicated that they found no evidence of external access to their internal network, and the breach occurred via a threat actor gaining access to a cloud hosted backup of genuine records, maintained by the third party cloud provider. All of the information is relevant to an ethical hacker as it is extremely easy with this combination of data on an individual to conduct a highly effective targeted phishing attack, considering the hacker would have the name, address, phone number, last 4 credit card numbers, and previously used passwords. An ethical hacker could make use of the password history for brute force logins of other services as many people re-use passwords regularly.
https://www.bleepingcomputer.com/news/security/bonobos-clothing-store-suffers-a-data-breach-hacker-leaks-70gb-database/
I would like to argue that even the Big 3 providers are not as secure as we would like to believe.
Although less likely to be hacked by rogue hackers, large hacking outfits, especially those sanctioned and financed by enemy governments are working day and night to compromise the cloud. Any system is only as secure as its least secure part, and humans are very often that part. With compromised users, any data that they are privileged to access has the potential to be shared with the enemy. This brings up the importance of giving each user the least privileges that they can have while still being able to fulfil their job requirement.
https://foreignpolicy.com/2021/05/24/cybersecurity-cyberattack-russia-hackers-cloud-sunburst-microsoft-office-365-data-leak/
This is a great point Tal,
they may be better than most other choices in most cases, but at the end of the day there can always still be someone who is uninformed, too privileged, tricked, etc. It only takes one mistake one time to be able to gain access and compromise a system if the attack is performed by someone skilled enough. A technical entry point may not always be the start – social engineering can be utilized as well.
https://www.zdnet.com/article/these-researchers-wanted-to-test-cloud-security-they-were-shocked-by-what-they-found/
This article details how researchers had set up a honeypot for cyber criminals.
I found the results fascinating, as all of the honey pots were attacked multiple times per day (one of the honeypots reaching 169 attacks in a single day).
I think the failure here was self-inflicted (because it was a testing environment), but I do believe that this information is valuable to ethical hackers, because it shows that attacking cloud infrastructure in a large scale is possible, and may even give ethical hackers knowledge about the possibilities that exist when it comes to this field.
https://www.npr.org/sections/thetwo-way/2017/10/03/555016024/every-yahoo-account-that-existed-in-mid-2013-was-likely-hacked
When talking about cloud security breaches, it’s very difficult to top the Yahoo breach from 2013. 3 billion accounts affected with many personal details stolen such as names, phone numbers, birth dates, hashed passwords, and security questions and answers. The internal security team brought this information to the attention of senior management, who did not adequately respond or investigate further. This was the fault of the cloud provider and resulted in many top executives to be fired or resign. Ethical hackers could use the information from this case to look for vulnerabilities on other platforms and help prevent this type of breach from occurring again.
In September 2018, Marriott International suffered a data breach where over 500,000 of its guests had PII leaked, including credit card numbers and passport information. An investigation found that Starwood, a company that was since acquired by Marriott, had been compromised back in 2014, and neither company/brand had recognized it during the acquisition. Although Marriott has not made all details on this breach public, a Remote Access Trojan (RAT) was found in this server, which could have been the result of phishing email. Ultimately this breach was due to the fault of the cloud consumer, and it shows ethical hackers how phishing can lead to larger exploitations.
https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html