Considerations for our Clients
This March, Capital One was the subject of a major data breach, resulting in over 100 million affected customers. Originally there was no consensus on how exactly the attack took place, however the news media was quick to use predictable phases;
“…arrested Monday for allegedly hacking into Capital One’s databases.” -GeekWire
“…woman who allegedly pulled off one of the largest-ever bank-data heists…” – WSJ
“…someone outside the company who was able to break into the files…” -MoneyWise
Reality is often more mundane, though scary, when it comes to data security.
What seems to have happened in this case, now that there has been time to digest and analyze the situation from a calmer perspective, boils down to what we often drone on about; weak configurations within the cloud infrastructure.
More specifically, the misconfiguration appears to be within the Web Application Firewall (WAF) that was deployed to protect the environment.
It appears the WAF was intentionally set up to “redirect” incoming requests (like a reverse proxy). Due to the misconfiguration, the intruder was able to send a request to the local metadata service, which returned the temporary IAM credentials the WAF was using. Then, the intruder used those credentials to make API calls to the S3 service and dump all the data.
This may imply there were actually two bad configurations: Whatever was on the WAF that allowed the redirection to the metadata service, and the overly permissive role assigned to the EC2 instance (or service) that allowed all the S3 access (which the bad actor may have known about as a former AWS employee).
The type of vulnerability exploited here is a well-known method called a “Server Side Request Forgery” (SSRF) attack, in which a server can be tricked into running commands that it should never have been permitted to run, including those that allow it to talk to the metadata service.
We’ve known for years that web applications and web servers were inherently vulnerable and required thoughtful design, configuration and maintenance. The lesson we are all learning is that API calls and service functions are some of the most lucrative targets for threat-actors currently, and special considerations need to be made when relying on these services for critical business functions.
Amazon points to services it offers AWS customers to help mitigate a similar attack to what Capital One experienced:
- Access Advisor, identify and scope down AWS roles that may have more permissions than they need;
- GuardDuty, designed to raise alarms when someone is scanning for potentially vulnerable systems
- The AWS WAF, which Amazon says can detect common exploitation techniques, including SSRF attacks;
- Amazon Macie, designed to automatically discover, classify and protect sensitive data stored in AWS.
None of these tools are silver bullets, but if installed and monitored properly, they will help prevention and reaction to a Capital One type of event. Any questions please reach out to our team.
Tyson Savoretti | CISA CEH SSCP PCI-ISA CySA+
Information Security Consultant, Audit Liaison