SolarWinds Fallout: Cloud Security is the Weak Link

Article By : Ann R. Thryft

Misconfigurations and the resulting security vulnerabilities are soaring as companies rush to the cloud.

Last December, when FireEye reported the massive SolarWinds data breaches, it was not immediately obvious that those breaches could not have occurred without cloud connectivity already in place.

The SolarWinds hacks leveraged cloud cybersecurity holes, hijacking the remote software update process. They also exposed fundamental flaws in cloud technology and deployment.

About one-third of companies experienced a serious cloud security or data breach or a data leak during the previous year, according to Fugue and Sonatype’s State of Cloud Security 2021 survey published in May. The study found that cloud misconfigurations continue to be the leading cause of cloud breaches. Of 300 cloud professionals surveyed, 83 percent said their organization was at risk for a major data breach caused by faulty configurations.

Much of the risk stems from “vast and complex” enterprise cloud infrastructure environments and their dynamic nature, consisting of multiple APIs and interfaces requiring governance. Other top reasons for misconfigurations were lack of adequate controls and oversight as well as inattention to security and policies.

Source: Fugue and Sonatype (Click on image to enlarge).

Misconfigurations are usually laid at the feet of cloud customers, not providers, under the Cloud Shared Responsibility model. A study by Aqua Security that examined a year’s worth of cloud configuration data for hundreds of its clients found that 90 percent are vulnerable to security breaches due to cloud misconfigurations. Less than 1 percent of enterprises fixed all misconfiguration issues, and larger enterprises required 88 days on average to fix known issues, thereby extending the time attackers could exploit them.

Rush to the cloud

Verizon’s most recent annual report on data breaches found that most cybersecurity incidents now involve cloud infrastructure, and more cybersecurity incidents involve external rather than internal cloud assets. One possible explanation, according to research by Thales, is that half of businesses are storing over 40 percent of their data in external cloud environments, but few are encrypting sensitive data.

An August survey by Vectra AI of Amazon Web Services (AWS) users found that 100 percent have suffered at least one security incident in their public cloud environment within the last year. The majority of enterprises now operate in multi-cloud environments, but those varied vendors pose greater security challenges, said 98 percent of respondents to a July Tripwire report.

Most said the shared responsibility model is often unclear regarding who does what. Most also want cloud providers to increase their security efforts.

Executives demanding digital transformation of their organizations are in a hurry. Nearly all cloud surveys confirm the rapid adoption of public and hybrid clouds, making it difficult to maintain security. As we’ve noted, that rush has been accelerated by the pandemic.

Hasty adoption has also increased notorious Microsoft Exchange Server (MES) attacks. Of MES exposures observed earlier this year by Palo Alto Networks researchers, 79 percent occurred in the cloud. “The cloud is inherently connected to the internet and it’s surprisingly easy for new publicly accessible cloud deployments to spin up outside of normal IT processes, which means they often use insufficient default security settings and may even be forgotten,” they wrote in a blog post.

Vulnerable cloud software

Some cloud security problems stem from vulnerabilities in specific cloud platforms or other software.

Wikipedia article — don’t laugh! — on the SolarWinds hacks baldly addresses what Microsoft would like you to forget about vulnerabilities in its software: Zerologon, “a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached. This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.

“Additionally, a flaw in Microsoft’s Outlook Web App may have allowed attackers to bypass multi-factor authentication.”

The article also points out that attackers used counterfeit identity tokens to fool Microsoft’s authentication systems.

In August, FireEye’s Mandiant security researchers revealed a critical vulnerability in a core component of the Kalay cloud platform. Kalay services millions of IoT devices, and the vulnerability exposes all of them to potential remote attacks.

“Since many of the impacted devices are video surveillance products — this includes IP cameras, baby monitors and digital video recorders — exploiting the vulnerability could allow an attacker to intercept live audio and video data,” FireEye said in a blog post.

As we reported, researchers at Wiz recently discovered a vulnerability in the Microsoft Azure cloud platform’s central database dubbed ChaosDB. This easily exploitable bug lets attackers gain “complete, unrestricted access” to the accounts and databases at thousands of organizations that use Cosmos DB. Hackers could also delete, download or manipulate data, as well as providing read/write access to Cosmos DB’s underlying architecture.

Wiz called it “the worst cloud vulnerability you can imagine.”


Cosmos DB “is a reminder that we still have a lot to do to protect ourselves,” Jon Jarboe, developer advocate for Accurics, told EE Times. “It’s not always clear exactly what cloud providers are doing with our data and how they’re doing it, versus what cloud users are doing, which makes it hard to protect.”

Jon Jarboe

Added Jarboe: “We know cloud providers are securing data at rest but what about in transit and in use? The Cosmos DB flaw exposes our primary keys to others who aren’t supposed to have that access. There isn’t even a good way for users to realize that this is possible. There is a lot more cloud providers and organizations can do to clarify the bigger security picture.”

Just as I was finishing my ChaosDB article, yet another equally dangerous Azure vulnerability was disclosed by Palo Alto Networks. “Azurescape” gives attackers control of any user’s entire Kubernetes container service infrastructure. A few days later, CosmosDB researchers at Wiz found still more critical, easy-to-exploit, remote code execution vulnerabilities within Azure, this time in the OMI software agent. “OMIGOD” affects “countless” Azure customers.

Although cloud providers are “trying to do the right thing, they have to protect their brand,” said Jarboe. “So, there’s always tension between explaining what they’re doing versus not exposing their trade secrets. Organizations secure things as best they can, and end up having to monitor the dark web for indications that data has been leaked.

“Maybe that’s the only way we can address this in the short term,” he concluded.

This article was originally published on EE Times.

Ann R. Thryft has written about manufacturing- and electronics-related technologies for Design News, Test & Measurement World, EDN, RTC Magazine, COTS Journal, Nikkei Electronics Asia, Computer Design, and Electronic Buyers’ News. She’s introduced readers to several emerging trends: industrial cybersecurity for operational technology, industrial-strength metals 3D printing, RFID, software-defined radio, early mobile phone architectures, open network server and switch/router architectures, and set-top box system design. At EBN Ann won two independently judged Editorial Excellence awards for Best Technology Feature. Currently, she is the industrial control & automation designline editor at EE Times. She holds a BA in Cultural Anthropology from Stanford University and a Certified Business Communicator certificate from the Business Marketing Association (formerly B/PAA).


Leave a comment