Published on July 10th, 2017 | by Akshay Nayak
Breach of the Month – June 2017
Every Friday the SS8 Twitter feed features a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. Lucky(?) for us, the month of June has been rife with breaches and malware. Below we list the contenders as well as the winner of June’s breach of the month, featuring the thoughts of Threat Researcher Akshay Nayak.
OneLogin, a cloud based Single Sign On solution provider, was a victim of a security breach which led to unauthorized access of customer data such as users, apps and different kinds of keys. The attackers leveraged AWS API calls to create instances within OneLogin’s infrastructure which were then used to access resources.
A data breach occurred at Kmart due to malware that was able to bypass the anti-virus software installed on the system containing payment data. Kmart said in its press release that no customer PII (Personal Identifying Information) was exposed.
6 million user account details were compromised in a data breach at CashCrate – a website that pays users for things such as completing online surveys and testing new products or services. The stolen data includes emails, names, passwords and physical addresses.
Buckle experienced a security incident in which certain POS systems were infected with malware. In its breach notification, Buckle states that the malware searched for track data that is read from the mag strip on payment cards. Forensic analysis also shows that some of this data included expiration dates and account numbers, as well as the names of account holders.
This list cannot be complete without making a mention of the NotPetya malware pandemic that spread across multiple countries around the end of June. This malware shares some similarity with the Petya malware family and is known by a variety of names thanks to some extensive media coverage – NotPetya, SortaPetya, and Petna. It originated in Ukraine where it hit multiple targets such as the international airport, central bank and the Chernobyl nuclear facility. From there it spread to more than 60 countries. NotPetya used the EternalBlue and EternalRomance exploits that were part of NSA’s leaked toolkit and exploited a vulnerability in SMBv1. Even though dubbed a ransomware by different media outlets, giving in and paying the ransom is futile because the encrypted files are unrecoverable. This a great example of what happens when good patch management is not put in place. In this case, Microsoft had already released patches for the SMB vulnerability being exploited.
And the winner for June is….
The OneLogin breach.
OneLogin is a company that provides cloud based Single Sign On and IAM (Identity and Access Management) solutions. It has a sizable customer base with more than 2000 deployments in 44 countries. On May 31st around 2AM pacific time, an attacker was able to get hold of AWS API keys and create multiple instances within OneLogin’s infrastructure. These instances in turn were used to conduct reconnaissance and subsequently access the database server. The same morning around 9AM, this unauthorized access was detected and the affected instances were removed.
OneLogin stated in their breach notification that the threat actor accessed database tables containing “information about users, apps and various types of keys”. They also mentioned the possibility of the attacker having enough information to decrypt the data that was encrypted (at rest). Motherboard was able to acquire a copy of the post breach email sent by OneLogin to its customers. The email listed all the steps to be taken to regain access to applications and safeguard critical data. Some of these include generating new API keys and OAuth tokens, creating new certificates and requiring end users to change their passwords.
There are two reasons for choosing the OneLogin breach as the winner. First, unlike the NotPetya malware which spread like a worm and did not discriminate, this was a targeted attack. The adversary did his or her homework on OneLogin’s cloud infrastructure and knew which intermediate service provider to get the API keys from.
Second, this breach will have serious ramifications for the affected companies. Single Sign On solutions provide easy access to all accounts using a single set of credentials. However, this also means that the companies adopting SSO solutions have all their eggs in one basket. If the SSO vendor gets breached, the security of the client is seriously jeopardized. A similar dichotomy exists between deploying SSO solutions in organizations and cleaning up after an incident where the SSO solution was compromised. While the former is relatively painless, the latter is anything but.
This breach teaches us quite a few things:
- As cloud based solutions gain popularity, it is important that the service/solution providers pay attention to both cloud-independent and cloud-specific security controls. In this case, the primary measures that could have been put in place to avoid the breach are monitoring of AWS API calls for anomalies such occurrence well outside of office hours and a robust key management system for managing AWS keys. In fact, OneLogin promises to take security more seriously by implementing these exact countermeasures in addition to 3 others.
- For SSO, the data encryption keys must not be stored on the server. If they are, then in the event of the server being compromised, all the data can be decrypted rendering encryption at rest useless. Even if the keys are stored on the server, then both client and server side encryption must be implemented such that key information from both is required to decrypt the data. This greatly reduces the chance of the data being decrypted by an unauthorized actor in case one of them is breached.
Akshay Nayak is a Threat Researcher at SS8. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.