Last December, when FireEye reported the massive SolarWinds data breaches, it was not immediately obvious that those breaches could not have occurred without cloud connectivity already in place.
The SolarWinds hacks leveraged cloud cybersecurity holes, hijacking the remote software update process. They also exposed fundamental flaws in cloud technology and deployment.
About one-third of companies experienced a serious cloud security or data breach or a data leak during the previous year, according to Fugue and Sonatype’s State of Cloud Security 2021 survey published in May. The study found that cloud misconfigurations continue to be the leading cause of cloud breaches. Of 300 cloud professionals surveyed, 83 percent said their organization was at risk for a major data breach caused by faulty configurations.
Much of the risk stems from “vast and complex” enterprise cloud infrastructure environments and their dynamic nature, consisting of multiple APIs and interfaces requiring governance. Other top reasons for misconfigurations were lack of adequate controls and oversight as well as inattention to security and policies.
click for full size image
Source: Fugue and Sonatype.
Misconfigurations are usually laid at the feet of cloud customers, not providers, under the Cloud Shared Responsibility model. A study by Aqua Security that examined a year’s worth of cloud configuration data for hundreds of its clients found that 90 percent are vulnerable to security breaches due to cloud misconfigurations. Less than 1 percent of enterprises fixed all misconfiguration issues, and larger enterprises required 88 days on average to fix known issues, thereby extending the time attackers could exploit them.
Rush to the cloud
Verizon’s most recent annual report on data breaches found that most cybersecurity incidents now involve cloud infrastructure, and more cybersecurity incidents involve external rather than internal cloud assets. One possible explanation, according to research by Thales, is that half of businesses are storing over 40 percent of their data in external cloud environments, but few are encrypting sensitive data.
An August survey by Vectra AI of Amazon Web Services (AWS) users found that 100 percent have suffered at least one security incident in their public cloud environment within the last year. The majority of enterprises now operate in multi-cloud environments, but those varied vendors pose greater security challenges, said 98 percent of respondents to a July Tripwire report.
Most said the shared responsibility model is often unclear regarding who does what. Most also want cloud providers to increase their security efforts.
Executives demanding digital transformation of their organizations are in a hurry. Nearly all cloud surveys confirm the rapid adoption of public and hybrid clouds, making it difficult to maintain security. As we’ve noted, that rush has been accelerated by the pandemic.
Hasty adoption has also increased notorious Microsoft Exchange Server (MES) attacks. Of MES exposures observed earlier this year by Palo Alto Networks researchers, 79 percent occurred in the cloud. “The cloud is inherently connected to the internet and it’s surprisingly easy for new publicly accessible cloud deployments to spin up outside of normal IT processes, which means they often use insufficient default security settings and may even be forgotten,” they wrote in a blog post.
Vulnerable cloud software
Some cloud security problems stem from vulnerabilities in specific cloud platforms or other software.
A Wikipedia article — don’t laugh! — on the SolarWinds hacks baldly addresses what Microsoft would like you to forget about vulnerabilities in its software: Zerologon, “a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached. This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.
“Additionally, a flaw in Microsoft’s Outlook Web App may have allowed attackers to bypass multi-factor authentication.”
The article also points out that attackers used counterfeit identity tokens to fool Microsoft’s authentication systems.
In August, FireEye’s Mandiant security researchers revealed a critical vulnerability in a core component of the Kalay cloud platform. Kalay services millions of IoT devices, and the vulnerability exposes all of them to potential remote attacks.
“Since many of the impacted devices are video surveillance products — this includes IP cameras, baby monitors and digital video recorders — exploiting the vulnerability could allow an attacker to intercept live audio and video data,” FireEye said in a blog post.
As we reported, researchers at Wiz recently discovered a vulnerability in the Microsoft Azure cloud platform’s central database dubbed ChaosDB. This easily exploitable bug lets attackers gain “complete, unrestricted access” to the accounts and databases at thousands of organizations that use Cosmos DB. Hackers could also delete, download or manipulate data, as well as providing read/write access to Cosmos DB’s underlying architecture.
Wiz called it “the worst cloud vulnerability you can imagine.”
Cosmos DB “is a reminder that we still have a lot to do to protect ourselves,” Jon Jarboe, developer advocate for Accurics, told EE Times . “It’s not always clear exactly what cloud providers are doing with our data and how they’re doing it, versus what cloud users are doing, which makes it hard to protect.”
Added Jarboe: “We know cloud providers are securing data at rest but what about in transit and in use? The Cosmos DB flaw exposes our primary keys to others who aren’t supposed to have that access. There isn’t even a good way for users to realize that this is possible. There is a lot more cloud providers and organizations can do to clarify the bigger security picture.”
Just as I was finishing my ChaosDB article, yet another equally dangerous Azure vulnerability was disclosed by Palo Alto Networks. “Azurescape” gives attackers control of any user’s entire Kubernetes container service infrastructure. A few days later, CosmosDB researchers at Wiz found still more critical, easy-to-exploit, remote code execution vulnerabilities within Azure, this time in the OMI software agent. “OMIGOD” affects “countless” Azure customers.
Although cloud providers are “trying to do the right thing, they have to protect their brand,” said Jarboe. “So, there’s always tension between explaining what they’re doing versus not exposing their trade secrets. Organizations secure things as best they can, and end up having to monitor the dark web for indications that data has been leaked.
“Maybe that’s the only way we can address this in the short term,” he concluded.
>> This article was originally published on our sister site, EE Times.
- SolarWinds attack highlights need for cybersecurity decision at board level
- Software supply chain remains vulnerable
- TCP/IP stacks vulnerabilities are a wake-up call for embedded software
- How OpenChain certification aids open-source transparency for identifying security vulnerabilities
- FortifyIQ helps spot vulnerability with pre-silicon security verification
For more Embedded, subscribe to Embedded’s weekly email newsletter.