Cloud services are rapidly growing in popularity, and many organizations rely on them as their primary source of computing power. However, according to new research from IBM’s X-Force Research team, these cloud providers are susceptible to exploitation because it could turn a single flaw into a worldwide assault employing trusted core services. A lack of isolation between services and too little granularity within the permissions of various services and users is the center of the problem. Amazon Web Services recently had to close several vulnerabilities in its core services. One of those vulnerabilities was nasty: it allowed any person to access any company’s infrastructure.
Overview
Researchers at Google and RedLock uncovered attackers could use malicious AWS instances to exploit an insecure ELB (load balancer) configuration and gain access to a further 12 cloud providers. The most important of the 2 vulnerabilities occurred in AWS Glue. Developers use this service during data processing and ETL (extract, transform, load) activities. Using the flaw, attackers could execute arbitrary commands on servers with access to other services, allowing them to escalate their privileges until they reached critical ones that allowed full control over their target systems.
They found the second vulnerability in ELBs (elastic load balancers). By using Layer 7 attacks—wherein users get tricked into clicking on links or downloading malware—attackers could gain SSH root access within 30 minutes from several Elastic Load Balancers and other core services such as key/value storage. This provided a means of attacking both public cloud providers, including Amazon Web Services, Google Compute Engine, Microsoft Azure, IBM Bluemix, Oracle Cloud Platform and Alibaba Cloud, as well as private ones.
The flaw lived in an insecure configuration of AWS’ NACL (network access control list) rules that allowed machines with a standard EC2 security group to assume much higher privileges than usual if they could find a way onto any layer of AWS’ network.
How the Cloud Services Vulnerability Works
When a user creates an account with a service, they’re assigned a user ID and password, which are used to create API keys. API keys are like secure digital keys that grant access to applications without having to re-enter your password each time. For example, Amazon EC2—an Amazon Web Services tool that makes it easy for developers and businesses to get started with cloud computing—generates API keys for users and allows them to run code on virtual servers.
A flaw in one of Amazon’s services can turn into a global attack because when a new service gets created, it inherits permissions from its parent. This means that even if you don’t have administrative privileges on a service and can only access a subset of features, you might still exploit security flaws and run code with broader permissions. For example, if an attacker creates a new EC2 instance in another AWS region—AWS regions are geographical locations across which AWS offers customers access to content—the user will automatically inherit rights for more AWS resources than what they could normally manage through their user ID alone.
AWS isn’t alone in these exploits, though. Other cloud service providers have a sordid history of exploited services. Let’s check some of these out.
Microsoft Azure
While Microsoft Azure boasts a diverse range of services and deployment options, it’s no secret that its virtual machine system shares many similarities with VMware. That may have been OK in 2015, but in 2017 when researchers exploited VMware’s Vmxnet3 para-virtualized driver to break out of container containment, everyone saw just how dangerous commonalities between two different products can be.
When exploiting bugs in these shared services and drivers, rather than having to exploit one product at a time, exploits could now potentially work against every hypervisor running on Windows. A vulnerability like that would turn even small vulnerabilities into very effective attacks against customers using any hypervisor platform. Being able to target one service with a single attack isn’t just bad for vendor security: it’s also terrible for customer security. It essentially reduces attack surfaces across multiple products by combining their defenses into one exploitable service.
Google Cloud Platform (GCP)
GCP has been beefing up security recently by limiting access to key services and isolating certain data. Google is implementing a user-based permissions model with GCP, which gives administrators finer control over user privileges. Google also limits what users can do through IAM (Identity and Access Management) tools and no longer offers access to IAM for Compute Engine resources. This can prevent attacks from being made via legitimate accounts—but it’s not a silver bullet. There are still ways that an attacker could subvert your IAM rules and gain full administrative rights on your cloud. It all comes down to making sure you keep current with updates and patches so that you have all your defenses in place.
Other Key Points
The risks of a cloud provider failure are now greater than ever. Advanced attacks, such as phishing, RATs and zero-day exploits, can take advantage of vulnerable services within cloud providers because they lack isolation. Isolation makes it troublesome for a single flaw to be turned into a world attack because ownership limits access.
For example, if one VM or user becomes compromised because of an exploit against its hypervisor or service software, other VMs and users remain isolated. Isolation is important when you think about some of these advanced threats which start with stolen credentials from a third party (phishing). Once attackers have breached your account, there’s no way to trust that they won’t go after other resources in your account.
Is There a Solution?
As enterprises move their workloads into public clouds, security teams are struggling to secure these new environments. Core services such as storage and identity management are now shared resources that need controlled isolation from one another. New security models must support both open-and-closed network configurations, decoupling access control from a single point of control and enabling clear separation between groups that have different permissions or rights.
In plain English: Many major cloud providers have yet to address simple isolation flaws in their services. These flaws can get turned into attacks that take advantage of trust relationships and shared resources, allowing a single security breach to spread across entire data centers or even cloud providers’ shared infrastructure. A more granular approach to access control is necessary. Fortunately, businesses can allow different workloads within public clouds to get secured and segregated without sacrificing convenience or performance.
I know that you’re a smart cookie. You know that websites don’t just happen by accident. You need someone that can pay attention to detail, think outside the box, plan and execute well, and provide the support you need to grow your business.
That’s why I offer comprehensive design, content, and support so you can focus on what you do best while I take care of your website. My 24/7 live monitoring system ensures your website is always up and running so visitors will be able to find what they’re looking for when they find it.
Help your business grow with me: Jonquil.