While cloud-computing services are often touted as more secure than building and hosting applications in-house, that doesn't mean those cloud services are without their flaws. And with hackers increasingly looking to deploy their attacks through the software supply chain, cloud security is back in the spotlight.
Cybersecurity researchers found vulnerabilities in the infrastructure of a large software-as-a-service provider that, if exploited by an attacker, could've been used by cyber criminals as part of a cloud-based supply chain attack.
The unspecified SaaS provider invited cybersecurity researchers at Palo Alto Networks to conduct a red team exercise on their development software pipeline in order to identify vulnerabilities in the supply chain.
SEE: A winning strategy for cybersecurity (ZDNet special report)
"In just three days, a single Unit 42 researcher discovered critical software development flaws that left the customer vulnerable to an attack similar to those on SolarWinds and Kaseya VSA," the security company said.
At a time when so many businesses are reliant on cloud services, it demonstrates how misconfigurations and vulnerabilities can have a huge impact if not managed properly because of the hundreds or even thousands of companies that are reliant on the infrastructure.
Initially provided with the limited developer access a contractor would have, the researchers managed to elevate privileges to the extent that they were able to gain administrator rights to the wider continuous integration (CI) cloud environment.
Using this access, researchers examined as much of the environment as they could and were able to locate and gain access to 26 identity and access management (IAM) keys. Some of these contained hard-coded credentials that provided unauthorised access to additional areas of the cloud environment, which could be exploited to gain administrator access – allowing what should have been an account with limited access to gain privileges that open up the whole environment.
While the company that had requested penetration testing was able to detect some of the activity researchers engaged in, it was only after administrator access had been gained that this was the case – in the event of a real attack, this would have been too late and attackers would have compromised the system.
After the exercise, the researchers worked with the organization's security operations center, DevOps, and red and blue teams to develop a plan of action to tighten up security with a focus on the early identification of suspicious or malicious operations within their software development pipeline.
The researchers knew what they were looking for so were able to easily identify misconfigurations and vulnerabilities to exploit. While this might involve advanced knowledge of these environments and how to exploit them, it's the sort of thing that specialised attack operations like ransomware gangs or nation-state backed advanced persistent threat groups would also be familiar with – and will actively exploit if they can, as demonstrated by recent incidents.
"Successful supply chain attacks are particularly devastating due to the widespread fallout of the attacks, for example potentially thousands of downstream customer environments being compromised. The risk of fallout conditions should mandate the increase of security mechanisms and procedures used to protect the supply chain", Nathaniel Quist, principal researcher at Unit 42 at Palo Alto Networks, told ZDNet.
SEE: Cloud security in 2021: A business guide to essential tools and best practices
Part of the reason these environments can be exploited is because they're complex and can be difficult to secure – it's understandably not a simple task and vulnerabilities and misconfigurations can snowball to the extent that with patience and the right skills, attackers could exploit access to service providers and leave customers vulnerable to attacks.
There are a number of things that can be done to help protect cloud environments from unauthorised access, including providing access to systems and services on a role-based basis. If developer staff don't need access to access management keys, then there's no reason they should be able to gain hold of them.
"Role-based access controls within the developer roles would have prevented the Unit 42 researchers from accessing all of the developer repositories. Had the client limited developer user accounts to only the repositories required to perform their job, it would have prevented the red team from identifying all of the 26 hardcoded IAM keys," said Quist.
Organisations should also implement security checks and barriers as part of the development lifecycle. If these checks are implemented properly, it might be possible to determine that there's been unauthorised access to systems, something that could prevent an attack from being sent down the line to customers.
In this scenario, there's still a security issue to deal with, but dealing with it before hundreds or thousands of customers have been affected is a much better way to deal with it.
MORE ON CYBERSECURITY