[BreachExchange] Russia’s Hacking Success Shows How Vulnerable the Cloud Is

Mon May 24 18:35:19 EDT 2021

https://foreignpolicy.com/2021/05/24/cybersecurity-cyberattack-russia-hackers-cloud-sunburst-microsoft-office-365-data-leak/

Russia’s Sunburst cyberespionage campaign, discovered late last year,
impacted more than 100 large companies and U.S. federal agencies, including
the Treasury, Energy, Justice, and Homeland Security departments. A crucial
part of the Russians’ success was their ability to move through these
organizations by compromising cloud and local network identity systems to
then access cloud accounts and pilfer emails and files.

Hackers said by the U.S. government to have been working for the Kremlin
targeted a widely used Microsoft cloud service that synchronizes user
identities. The hackers stole security certificates to create their own
identities, which allowed them to bypass safeguards such as multifactor
authentication and gain access to Office 365 accounts, impacting thousands
of users at the affected companies and government agencies.

It wasn’t the first time cloud services were the focus of a cyberattack,
and it certainly won’t be the last. Cloud weaknesses were also critical in
a 2019 breach at Capital One. There, an Amazon Web Services cloud
vulnerability, compounded by Capital One’s own struggle to properly
configure a complex cloud service, led to the disclosure of tens of
millions of customer records, including credit card applications, Social
Security numbers, and bank account information.

This trend of attacks on cloud services by criminals, hackers, and nation
states is growing as cloud computing takes over worldwide as the default
model for information technologies. Leaked data is bad enough, but
disruption to the cloud, even an outage at a single provider, could quickly
cost the global economy billions of dollars a day.

Cloud computing is an important source of risk both because it has quickly
supplanted traditional IT and because it concentrates ownership of design
choices at a very small number of companies. First, cloud is increasingly
the default mode of computing for organizations, meaning ever more users
and critical data from national intelligence and defense agencies ride on
these technologies. Second, cloud computing services, especially those
supplied by the world’s four largest providers—Amazon, Microsoft, Alibaba,
and Google—concentrate key security and technology design choices inside a
small number of organizations. The consequences of bad decisions or poorly
made trade-offs can quickly scale to hundreds of millions of users.

The cloud is everywhere. Some cloud companies provide software as a
service, support your Netflix habit, or carry your Slack chats. Others
provide computing infrastructure like business databases and storage space.
The largest cloud companies provide both.

The cloud can be deployed in several different ways, each of which shift
the balance of responsibility for the security of this technology. But the
cloud provider plays an important role in every case. Choices the provider
makes in how these technologies are designed, built, and deployed influence
the user’s security—yet the user has very little influence over them. Then,
if Google or Amazon has a vulnerability in their servers—which you are
unlikely to know about and have no control over—you suffer the consequences.

The problem is one of economics. On the surface, it might seem that
competition between cloud companies gives them an incentive to invest in
their users’ security. But several market failures get in the way of that
ideal. First, security is largely an externality for these cloud companies,
because the losses due to data breaches are largely borne by their users.
As long as a cloud provider isn’t losing customers by the droves—which
generally doesn’t happen after a security incident—it is incentivized to
underinvest in security. Additionally, data shows that investors don’t
punish the cloud service companies either: Stock price dips after a public
security breach are both small and temporary.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210524/f713032c/attachment.html>