What We Can Learn from the Top Cloud Security Breaches
According to Canalys’ recently published review of cybersecurity, there were more data breaches over the course of 2020 than in the previous 15 years combined: 300 reported breaches (up 119% from 2019), during which 31 billion data records were exposed (up 171% over 2019).
There’s no question that the COVID-19 pandemic played an important role in this dramatic escalation. The sudden jump in the number of employees working from home created significant challenges in securing remote access to corporate resources. Also, highly distributed offsite workforces became an ideal target for social engineering hacking ploys.
Although spending on cybersecurity grew 10% during 2020, this increase fell far short of accelerated investments in business continuity, workforce productivity and collaboration platforms. Meanwhile, spending on cloud infrastructure services was 33% higher than the previous year, spending on cloud software services was 20% higher, and there was a 17% growth in notebook PC shipments.
In short, cybersecurity spending in 2020 did not keep up with the pace of digital transformation, creating even greater gaps in organizations’ ability to effectively address the security challenges introduced by public cloud infrastructure and modern containerized applications: complex environments, fragmented stacks and borderless infrastructure, not to mention the unprecedented speed, agility and scale. See our white paper, Introduction to Cloud Security Blueprint, for a detailed discussion of cloud security challenges, with or without a pandemic.
In this blog post, we look at nine of the biggest cloud breaches of 2020, where “big” is not necessarily the number of data records actually compromised but rather the scope of the exposure and potential vulnerability. We describe how these significant breaches happened and provide some key takeaways to help you make your organization more secure.
1. Misconfigured Internal Database
Microsoft disclosed in January 2020 an incident that occurred in an internal support analytics database. A change on Dec. 5, 2019, to the database’s network security group introduced misconfigured security rules. As a result, 250 million records of support cases were compromised, including email and IP addresses as well as support case details.
Microsoft assured customers that the breach did not expose any of its commercial cloud services, and in most cases, the data had been automatically redacted to remove personal information. However, any loss of customer data has serious ramifications, such as giving threat actors a wealth of information for future phishing expeditions. Check Point’s Incident Response Team (CPIRT) has seen a number of successful phishing attacks with a mission-critical pretext such as “Your IT Support Mailbox is Full” or “New voice mail: Unable to access resources.” In the case of this breach, threat actors with access to support ticket history could mount very targeted phishing attacks aligned with prior legitimate communications with vendors.
The incident was a wake-up call for Microsoft, and all of us, that network security rules for internal resources must be subjected to auditing that is as rigorous as that used for external resources. It is also worth noting that the exposure was detected by a third party. More than three weeks passed until the misconfiguration was remediated. Comprehensive measures to detect security rule misconfigurations and alert security teams in real time are critical to prevent breaches.
2. Unprotected Database, Unencrypted Data
On Jan. 30 2020, a security researcher discovered a non-password-protected database that was accessible to anyone on the internet. The database, which was part of the corporation’s education platform, contained user emails in plain text as well as IP addresses, ports, pathways and storage information that malicious actors could exploit to gain deeper access into the network. Unencrypted production, audit, error, CMS and middleware logs were also exposed, creating more possible backdoors into the network.
Estée Lauder remediated the exposure on the same day that it was discovered and assured its customers that no consumer data was compromised. Despite minimal damage, there are at least three important lessons that can be learned from this breach:
- Effective asset discovery and management are critical to security. Any unprotected asset can be a great foothold for threat actors and, as in this case, can provide invaluable fodder for future social engineering and phishing attacks.
- Beware of the agility and ease with which cloud resources can be provisioned. It should never be at the expense of upholding security best practices such as password protection.
- Data should always be encrypted, even in non-production databases.
3. Database of Secrets Unprotected for 8 Years
Whisper is a secret-sharing smartphone app that’s been around since 2012. In its earlier years, it was a popular platform to share confessions and other highly personal information under a pseudonym. On March 10, 2020, the story broke in The Washington Post that security researchers had discovered 900 million Whisper posts and their metadata in an unprotected database. The exposed data, which went back to 2012, included the user’s age, ethnicity, gender, hometown, nickname and group memberships.
There is no evidence that the database was ever exploited, and Whisper took it down immediately after being contacted by The Washington Post. It is truly hard to fathom how an exposed database from a secret-sharing app could have gone undetected by the company for so many years.
However it is apparently not an unusual situation. Our CPIRT colleagues have learned that servers or services that are exposed by accident are typically the ones most misconfigured and most out of date with patches. Regular external attack surface mapping and scanning can help identify such servers and services and prevent accidental exposure. Perhaps this is also the place to note that in today’s complex hybrid and multicloud environments, the need for effective security monitoring is greater than ever before.
4. Biometric Data on an Unsecured Server
Security researchers informed a Brazilian biometric solutions company in March 2020 that 81.5 million records had been exposed on an unsecured server. The records included admin (!) login information, employee phone numbers and email addresses, company emails and binary code related to 76,000 fingerprints, which could have been used to reverse engineer the fingerprints themselves. Facial recognition data was also found in the exposed database.
The breach occurred primarily because the company failed to securely configure the migration of data to a cloud-based database for storage purposes. Our CPIRT investigators have witnessed several hasty cloud migrations that resulted in accidental exposure of data or other vulnerabilities. When migrating from a protected on-premises infrastructure to cloud infrastructure, extraordinary measures should be taken to secure the application, starting with the same controls you would apply on-premises such as password protection and data encryption.
5. Five Billion Records Exposed During Routine Maintenance
This mega-breach occurred in March 2020 when a service provider temporarily exposed 5 billion records during routine maintenance. The contractor had shut down a firewall for about 10 minutes to speed up the migration of an Elasticsearch database, opening up a window for the internet-indexing service BinaryEdge to index all the data. During those 10 minutes, a security researcher was able to access the database via an unprotected port, although he only succeeded in extracting a very small subset of the records.
The database contained emails and passwords from publicly known data breaches, data that had been used to notify Keepnet’s customers if they had been compromised. No company or customer data was exposed, and the records themselves were all from publicly available threat intelligence resources.
Given the sophistication and agility of threat actors, the Keepnet breach underscores the importance of constant vigilance, even during routine maintenance and operations. In the company’s public statement about the incident, one of the lessons learned was: “We have added [a] threat intelligence service to our 24/7 monitoring systems and conduct continuous vulnerability scanning.”
In CPIRT’s experience attackers often gain access to and then spread laterally through a network because security controls were disabled in favor of performance. In fact, threat actors look for systems that have exceptional performance with little or no security controls. A proper security architecture should consider performance requirements in the early planning and design stages. This upfront investment saves security management time and resources over the long term.
6. Misconfigured Cloud Server Leaks Guest Information
In July 2020, MGM Grand Hotels acknowledged the breach of 142 million records that contained personal information about guests and were being offered for sale on the dark web. The hacked data included home addresses, contact information, dates of birth, driver’s license numbers and passport numbers. Luckily, it did not include financial information, IDs or reservation details.
It’s possible that this was part of the same July 2019 breach that became high profile in February 2020 when 10.6 million records were offered as a free download on a hacking forum. Unfortunately, the data that was exposed here is yet another case of giving threat actors everything they need for future spear-phishing attacks.
The breach was apparently the result of a misconfigured cloud server that was then accessed without authorization. Considering that most misconfigurations are the result of human error, the incident highlights the invaluable importance of automated security workflows to strengthening an organization’s security posture.
7. Undetected Exfiltration of Personal & Financial Data
In September 2020, Warner Media Group (WMG) announced that it was the victim of a three-month Magecart data-harvesting attack on multiple e-commerce websites hosted and supported by an external service provider. From April 25 to Aug. 5, 2020, a hacker exfiltrated personal (name, email address, telephone number, billing and shipping addresses) and credit card information (card number, CVC, expiration date) entered into the websites while making purchases.
In a class action that was brought against WMG in the wake of the incident, the plaintiffs wrote “The fact that this breach allegedly went on undetected for more than three months demonstrates the alleged lack of care taken by Warner Media Group to secure its customers’ information.” The lesson that WMG learned the hard way is that next-generation threat-hunting and intelligence capabilities might have detected the issue more quickly or even pre-empted it. And advanced data-driven threat forensics is key to accelerating time to remediation.
8. Crypto Mining Campaign Targets Kubernetes
In June 2020, attackers mounted a successful crypto mining campaign on compute-intense Kubernetes machine learning nodes on Microsoft Azure. The target was Kubeflow, an open source project for managing ML tasks in Kubernetes. The attackers exploited Kubeflow dashboards that were configured more for convenience than security. These misconfigurations exposed the service to the internet and allowed unauthorized users to perform Kubeflow operations, including deploying new containers.
The Azure Security Center confirmed that the attack affected tens of Kubernetes clusters, but did not specify the scope of the resource hijacking or whether the attackers were able to exploit the dashboards for other malicious activities. Given the cloud’s auto-scaling capabilities, it is no wonder that cloud service providers are a common target of crypto mining campaigns. The victims often only become aware of the exploit at the end of the month when they receive an extraordinarily high cloud usage bill.
In any case, it is never advisable to rely solely on the security controls of your cloud service provider. Every organization must understand its responsibilities within the shared responsibility model of cloud security and uphold all best practices related to cloud network security and cloud configuration compliance.
9. Account Registration Information Exposed to Business Partners
In December 2020, Spotify announced that an undisclosed number of account registration records were accidentally exposed to Spotify business partners. The sensitive user information to which they may have been able to gain access included email address, preferred display name, password, gender and date of birth. The breach resulted from a system vulnerability that was introduced back in April but not discovered until November.
Automated scans and regular penetration testing could have helped identify these types of system weaknesses and perhaps prevent the breach. Keeping cloud assets secure is not just Spotify’s challenge. Of the 300 American CISOs who participated in the IDC Cloud Security survey in June 2020, the top concerns for cloud production environments were security misconfigurations (67%), lack of visibility into access settings and activities (64%), and identity and access management (IAM) errors (61%). Their top cloud security priorities are compliance monitoring (78%), authorization and permission management (75%), and security configuration management (73%). Given these challenges and priorities, enterprises are looking to third-party security vendors to complement their cloud provider security tools and services, as well as provide automated and unified cloud security solutions.
Keeping networks and data assets safe is a never-ending battle between security teams and threat actors. As we have seen in this review of selected 2020 cloud breaches, poor asset management, security misconfigurations and unencrypted data are all leading contributors to breaches that can compromise sensitive data and other resources.
The fact that not all of the exposures described above resulted in damaging exploits should not be a comfort. The exposure itself is often regarded as a poor reflection on the organization’s cloud network security and cloud security management practices. If an organization is the target of continuous attacks, an exploited vulnerability is eventually going to have significant consequences like data leakage, application performance degradation or disruption, or resource hijacking.