What Can We Learn from Recent Cloud Security Breaches?

Originally published by Skyhawk Security.

Over the past year there have been several prominent cyber incidents involving the cloud. These incidents have illustrated the dependency of organizations on the cloud, the vulnerability of the cloud, and the motivation of attackers to utilize this to their advantage. But if we look closer, we can also identify some lessons that can be learned and implemented by others.

Summary of major incidents:

In May, Software giant Snowflake was made aware of a cyber incident. Initially it was thought that the attackers sought to hack Snowflake itself, but it was later discovered that they were really after Snowflake clients. More than 160 were targeted, including Santander Bank, online ticket sales platform TicketMaster, Pure Storage, Advance Auto Parts, and AT&T.

In early June, Russian Ransomware group Qilin attacked Synnovis, a healthcare partner that provides pathology services to several London-based hospital trusts. The attack crippled their IT systems, resulting in interruptions to many of its pathology services. The impact was wide, and hospitals and clinics had a great deal of difficulty in providing urgent services, which resulted in thousands of cancelled and delayed operations and appointments. Later that same month, CDK Global, a US-based software company that serves more than 15,000 car dealerships across the nation and accounts for more than half of US auto sales, suffered 2 subsequent cyber-attacks by hacking group BlackSuit. The IT systems were severely impacted, and thousands of auto dealerships were without access to the critical functions including: Sales Management, Inventory Management, Customer Relationship Management (CRM), Service and Repair Management, Finance and Insurance (F&I), Digital marketing, Data analytics, and Backoffice operations (including accounting, payroll, and human resources). The total damage of these attacks is estimated to be billions of dollars.

These are the primary factors that allowed these attacks:

1. Credential theft and trade: Some of the attacks were conducted using credentials which were stolen through infostealing malware and hacking groups (including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER).
2. Aging credentials which has gone years without an update: Organizations have not purged systems of older credentials. They were completely unaware that these credentials were still valid and worse yet, were stolen. In some cases, the credentials had not been revoked or updated years after theft.
3. Reliance on credentials only, without utilizing “allow lists” or MFA: Organizations were not implementing “allow lists” to enable access only from specific locations, IP addresses and domain URLs, making the use of stolen credentials easier. The impacted accounts were not configured with multi-factor authentication, meaning successful authentication only required a valid username and password.
4. Reliance 3rd party software and services: The hospitals’ reliance on Synnovis for the pathology and blood services, as well as auto dealerships’ reliance on CDK Global CRM software services made them extremely vulnerable. At least in the case of Synnovis, some hospitals were concerned about their security posture but have failed to act prior to the attack. In the case of Snowflake customers, some were connected to external contractors who assisted organizations in configuring and operating the Snowflake platform. These contractors did not seem to adhere to strict security procedures. For example, some of their laptops were used for personal activities, including gaming and were found to have downloads of pirated software. One compromised contractor laptop could have had access to numerous Snowflake accounts across multiple customers.

All these factors enabled threat actors to breach multiple organizations. Credentials were not well guarded, and accounts were accessible with older credentials and did not leverage MFA. ”No allow lists” were not used to limit accessibility. Reliance on external contractors and 3rd party software and service providers with lesser security posture also left organizations vulnerable. None of these required any formidable “hacking” skills or knowledge in software vulnerabilities and their exploitation, making these organizations prime targets for hackers.

What can organizations do to secure themselves?

These incidents illustrate several important aspects of modern cloud-based vulnerabilities, that most organizations should take notice of:

• How simple attacks methods can breach cloud-based systems: These attacks did not require high level of proficiency, but rather general knowledge of how organizations neglect basic security and IT procedures. Looking ahead, many more attackers will follow this “path of least resistance” and deploy numerous attacks against such systems.
• The importance of basic cloud hygiene practices: Poor cloud hygiene and security practices are another factor that amplifies the risk to organizations. If in the past, poor hygiene could have been tolerated because on-prem systems were less accessible to external threats. Today these same business assets are exposed to the outside world and as we’ve seen, can easily be manipulated.
• Risks of third parties and supply chain: Third parties have always presented risk to organizations, but cloud has exacerbated this risk to alarming levels. One contractor with access to several user accounts can seriously compromise an entire organization. One software vendor with antiquated architecture can disable tens of thousands of businesses.
• Importance of employing CDR: Given the immense risks and challenges, it is necessary to employ modern security technologies that could identify and alert against such attacks. CDR (Cloud detection and response) could have identified these attacks. By utilizing behavioral analytics, CDR would have detected anomalous access (even without employing “allow lists”). It would have identified accounts without proper MFA and alert prior to their exploitation. Moreover, combining CDR with breach simulation should have identified that specific accounts were prone to exploitation and allow to remedy the faulty configuration prior to the attack.