[BreachExchange] Imperva explains how hackers stole AWS API Key and accessed to customer data

Destry Winant destry at riskbasedsecurity.com
Mon Oct 14 23:28:43 EDT 2019


https://securityaffairs.co/wordpress/92484/data-breach/imperva-data-breach-2.html

Imperva shared details on the incident it has recently suffered and
how hackers obtain data on Cloud Web Application Firewall (WAF)
customers.

In August, cybersecurity firm Imperva disclosed a data breach that
exposed sensitive information for some customers of its Cloud Web
Application Firewall (WAF) product, formerly known as Incapsula.

Incapsula, is a CDN service designed to protect customers’ website
from all threats and mitigate DDoS attacks.

Imperva CEO Chris Hylen revealed that the company learned about the
incident on August 20, 2019, when it was informed about the data
exposure impacting Cloud Web Application Firewall (WAF) product.

“We want to be very clear that this data exposure is limited to our
Cloud WAF product.” reads the Hylen’s announcement. “Here is what we
know about the situation today:

On August 20, 2019, we learned from a third party of a data exposure
that impacts a subset of customers of our Cloud WAF product who had
accounts through September 15, 2017.
Elements of our Incapsula customer database through September 15, 2017
were exposed. These included:

email addresses
hashed and salted passwords“

Laked data included email addresses and hashed and salted passwords
for all Cloud WAF customers who registered before 15th September 2017.

Hylen added that for a subset of the Incapsula customers, through
September 15, 2017, were exposed API keys and customer-provided SSL
certificates.

In a blog post published by Imperva, the company confirmed that it was
informed of the incident by someone who had requested a bug bounty.
The firm explained that the data was exfiltrated without exploiting
any vulnerability in its systems.

The analysis of the data confirmed that attackers stole data in October.

“Our investigation identified an unauthorized use of an administrative
API key in one of our production AWS accounts in October 2018, which
led to an exposure of a database snapshot containing emails and hashed
& salted passwords.” reads the post published by Imperva.

“We compared the SQL dump in the provided dataset to our snapshots and
found a match. As of this post, we can say that the elements of
customer data defined above were limited to Cloud WAF accounts prior
and up to September 15, 2017. Databases and snapshots for our other
product offerings were not exfiltrated,”

The company announced to have adopted additional security measures to
protect its customers, including the creation of new instances behind
its VPN by default, the implementation of monitoring and patching
programs, decommission unused and non-critical compute instances.

Imperva explained that the incident was related to the process
migration of its infrastructure to AWS cloud technologies that begun
back in 2017.

At the time, the development team created a database snapshot for
testing and to evaluate the migration to AWS. An internal compute
instance that they created was exposed online and it contained an AWS
API key. This instance was compromised and hackers exfiltrated the AWS
API key and used it to access the snapshot.

In response to the incident, Imperva changed 13,000 passwords, more
than 13,500 SSL certificates have been rotated and regenerated roughly
1,400 API keys. The good news is that the company is not aware of
malicious account activity associated with the hack.

While the company is still investigating the incident it recommends
the following security measures to its customers:

- Change user account passwords for Cloud WAF (https://my.incapsula.com)
- Implement Single Sign-On (SSO)
- Enable two-factor authentication
- Generate and upload new SSL certificate
- Reset API keys


More information about the BreachExchange mailing list