Public Cloud Security Breaches

Snowflake

Sun, 30 Jun 2024 11:08:05 -0400

In the spring of 2024, a number of Snowflake customers suffered data breaches when cybercriminals announced they had data sets from high-profile customers like TicketMaster, LendingTree, Neiman Marcus, and Santander.

While Snowflake & Mandiant found no evidence their cloud offering was compromised, these incidents became a serious public relations issue.

Football Australia

Mon, 05 Feb 2024 07:27:16 -0500

Football Australia, the national governing authority for the sport, embedded an AWS Access Key in their website that granted access to 126 S3 Buckets containing sensitive information for players and fans.

Microsoft (Midnight Blizzard)

Sat, 20 Jan 2024 20:14:38 -0500

Leveraging an unused account, the Russian APT Midnight Blizzard was able to pivot into Microsoft’s corporate Office 365 to access the emails of key executives and cyber-security employees. Midnight Blizzard was searching for what information Microsoft knew about themselves.

First Republic Bank

Wed, 13 Dec 2023 04:16:54 -0500

In March 2020, a cloud engineer was terminated from First Republic Bank and subsequently accessed their AWS & GitHub environment to cause damage.

Retool MFA

Fri, 10 Nov 2023 19:43:16 -0500

An engineer at Retool fell victim to a social engineering attack that led to the compromise of an engineer’s MFA tokens and the account takeover of a small number of Retool customers.

Sumo Logic 2023

Fri, 10 Nov 2023 19:22:26 -0500

Sumo Logic notified customers of an incident and recommended customers rotate credentials in their platform.

Microsoft (Storm-0558)

Fri, 14 Jul 2023 14:12:47 -0400

In July of 2023, Microsoft disclosed a compromise of Exchange Online that targeted “25 organizations … including government agencies as well as related consumer accounts of individuals likely associated with these organizations.” The vector of compromise was several validation flaws in the Microsoft-hosted Exchange Online and AzureAD services.

As part of the Cyber Safety Review Board investigation of this incident, CISA issued a number of findings citing Microsoft’s negligence in securing their cloud infrastructure and make recommendations to both Microsoft and all cloud service providers.

From the CISA press-release:

“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” said DHS Under Secretary of Policy and CSRB Chair Robert Silvers. “It is imperative that cloud service providers prioritize security and build it in by design."

Breaches Update - June 2023

Fri, 30 Jun 2023 07:48:09 -0400

Welcome to the first breaches.cloud monthly update since going live in May. Not much has happened in the way of new breaches, but we did learn more from the FTC about public S3 buckets at Vitagene. I was busy organizing the fourth annual fwd:cloudsec conference in Anaheim, then attending AWS re:Inforce.

Vitagene

Wed, 21 Jun 2023 14:58:49 -0400

Vitagene is a consumer DNA sequencing company that the FTC fined for several deceptive privacy practices. As part of their investigation, the FTC determined that a few thousand customers’ DNA information was stored in public S3 buckets.

BrowserStack

Thu, 25 May 2023 05:15:19 -0400

In November 2014 BrowserStack, a cloud testing platform for cross-platform testing of different applications, was breached through an old prototype machine that had not been updated and was vulnerable to the shellshock exploit. The attacker created an IAM user and generated a keypair. The attacker accessed the email list and used AWS Simple Email Service to send emails to 5,000 users falsely stating BrowserStack was shutting down.

DataDog (2016)

Thu, 25 May 2023 04:57:54 -0400

In July 2016, SaaS provider DataDog suffered a breach affecting its AWS customers. The breach stemmed from an attacker targeting production infrastructure servers and a database that stores user credentials. AWS users who attempted to use AWS credentials shared with Datadog also reported issues. DataDog immediately mitigated and notified users of the breach and ensured any precautions needed to be taken.

UNC2903

Wed, 10 May 2023 14:38:46 -0400

Mandiant identified a new threat actor, UNC2903, attempting to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). Mandiant observed that UNC2903 scanned the internet for a particular vulnerability and utilized a relay box to carry out exploitation and related IMDSv1 abuse.

Welcome to Breaches.Cloud

Wed, 10 May 2023 00:00:00 +0000

Welcome to Breaches.Cloud - the soon-to-be definitive source for analysis on cloud security-related breaches.

Why are we doing this?

As a cloud security practitioner, I often find myself trying to explain cloud security risks to my developer, operator, and builder constituency. Within the Cloud Security community, we know the potential risks of long-term access keys, publicly writable buckets, and insecure services exposed to the world.

About Breaches.Cloud

Fri, 05 May 2023 19:00:00 +0400

This site is a compendium of information related to security incidents and breaches with customers operating in the major cloud providers. It is intended to help cloud security practitioners articulate the risks of specific cloud security mistakes and to help them inform their respective leadership, development, and operations teams. Our goal is to provide the security community a go-to place for identifying real-world examples of how cloud security misconfigurations have impacted real customers. It’s one thing for us to say “It’s a bad idea to attach the S3FullAccess policy to your instance role when you only need to write to a single logging bucket,” and quite another to say “The 2019 Capital One breach wouldn’t have resulted in a 100 million dollar fine if the engineer deploying the WAF hadn’t attached the S3FullAccess to the ***WAF-Role”

Privacy Policy

Fri, 05 May 2023 19:00:00 +0400

Interpretation and Definitions Interpretation The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural. Definitions For the purposes of this Privacy Policy: Account means a unique account created for You to access our Service or parts of our Service. Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.

Codespaces (2014)

Fri, 28 Apr 2023 13:28:36 -0400

In June of 2014, The code hosting and project management provider known as CodeSpaces.com was forced to shut down after a series of events in which an Unknown threat actor performed a well-organized Denial of Service attack and attempted to demand payment. The threat actor accessed Codespaces Amazon Account when negotiations fell through, deleting data and backups.

CommuteAir

Fri, 28 Apr 2023 13:28:36 -0400

In January of 2023, CommuteAir suffered a breach that exposed the US Department of Homeland Security’s “No Fly” and Selective Screening lists containing over 1.5 million records, along with CommuteAir employee information. The attacker found an exposed Jenkins server and was able to access different build workspaces containing repositories for the build jobs. On the Jenkins server, the attacker found access keys that offered access to the CommuteAir environment. After investigating the AWS Infrastructure, the attacker found the No Fly List among test data on the Jenkins server.

Cisco WebEx

Fri, 21 Apr 2023 13:28:36 -0400

In September 2018 a former engineer leveraged AWS credentials, left over from his time of employment, which resulted in the deletion of 456 virtual machines for Cisco’s WebEx Teams application. Cisco cited the outage as costing over $2.4M dollars.

Uber Breaches (2014 & 2016)

Thu, 20 Apr 2023 13:38:46 -0400

In 2014 and again in 2016, Uber suffered a data breach where attackers gained access an unencrypted file containing sensitive user information. In both instances, the attackers used keys found in Uber’s GitHub repositories. In 2014, the attacker found an access key in a public repository. In 2016, the attackers used stolen GitHub credentials to access an AWS key in an engineer’s private repo.

Uber reported the 2014 incident to the Federal Trade Commission, which prompted an investigation into its security practices of Uber. As part of the 2016 incident, Uber’s Chief Information Security Officer paid the attackers $100,000, supposedly as a bug bounty, to delete and not disclose the data. This incident is notable because the CISO, Joey Sullivan, was later convicted for not promptly notifying the Federal Authorities when the breach occurred. Uber was fined $148 million for concealing the breach.

FTX Bankruptcy

Sun, 16 Apr 2023 10:35:11 -0400

FTX, a crypto-currency exchange, found itself in bankruptcy. At the moment of the leadership transition, over $400 million in crypto-currency was transferred from FTX’s wallets. The FTX trustee management discovered many poor cloud practices during the unwinding process.

Chegg (2018)

Fri, 14 Apr 2023 13:19:36 -0400

In April 2018, the educational platform Chegg Inc. suffered a breach leading to the exposure of sensitive data on over 40 million users. A former contractor used AWS root credentials to exfiltrate the data.

Drizly (2020)

Thu, 13 Apr 2023 14:38:46 -0400

In July 2020, Drizly, an on-demand alcohol delivery service, suffered a data breach that exposed the personal information of over 2 million users data. The source of the breach was an executive’s GitHub account that was the victim of a credential-stuffing attack. With access to GitHub, the attacker could find AWS credentials, reconfigure AWS security settings, and access a customer database, leading to the leak of 2 million user records.

Ubiquiti (2020)

Thu, 13 Apr 2023 14:38:46 -0400

In December of 2020, Ubiquiti suffered a breach at the hands of an employee. This employee masked his presence via a VPN and was able to clone the company’s GitHub repository and alter logs in AWS to hide their presence and evidence of the breach. After the attacker leaked false details of the attack to a well-known security blogger, Ubiquiti’s stock lost 4 billion dollars in value.

LA Times Cryptomining

Tue, 11 Apr 2023 13:28:36 -0400

In February 2018, The Los Angeles Times was unwittingly part of a crypto jacking scheme. A publicly writable S3 Bucket on their website was discovered and configured to serve a Coinhive Monero Miner Javascript code. The injected code used the CPU power of any browser that visited the site.

Imperva RDS Snapshot

Sun, 09 Apr 2023 16:51:47 -0400

An unknown threat actor compromised an un-used EC2 Instance, accessed AWS API Keys, and used them to exfiltrate a Database Snapshot from security vendor Imperva.

LastPass

Sat, 18 Mar 2023 10:53:42 -0400

In 2022, LastPass suffered a series of breaches, eventually leading to customer password vaults being taken. This incident is notable because it is the first time we’ve seen evidence that a threat actor targeted a specific employee’s home network to capture privileged cloud credentials.