Misconfigured cloud security exposes highly sensitive data

Issue

An organization named ABC*, ran its client’s web application support business on AWS cloud. They accidently misconfigured the security features of  new cloud buckets purchased by them, leaving their entire customer’s sensitive information contents at risk. This incident came to light while performing vulnerability assessment and penetration testing of the organization’s cloud infrastructure.

The main business of this organization was building web applications as per the request of the client hosted on AWS cloud, managing its operations troubleshooting and deliver continuous improvement to their developed web applications based on the requirement of the clients. Also, their IT administrator thought that the AWS cloud is best and safe to store sensitive database of their increasing client base as it requires login access. 

This organization used to periodically buy cloud storage buckets from AWS as per ever increasing requirements of the organization’s business. As an ongoing business working part, the IT Team of this organization purchased two AWS buckets to store backup details of organization’s customers documentations and rescue passwords. 

However, the IT administrator forgot to make public AWS bucket private which is Public at default when initially purchased by the organization. Also, he forgot to restrict the bucket access using Cloud- Identity-and-Access-Management (Cloud-IAM) permissions. This vulnerability could let any user across entire internal as well as external organization’s network, access the organization’s entire customer’s sensitive data bucket information in spite of cloud login security access.   

If this vulnerability would have been found by external malicious attacker, he would not only have caused damage to the organization’s business goodwill, but also could have launched critical secondary attacks on this organization’s clients. Thus, this malicious attacker act could have exposed organization’s business sensitive information secret API data, authentication credentials, certificates, decryption keys and confidential data linked with customer information. 

Hence, this issue proves the importance of periodically conducting Vulnerability Assessment and Penetration Testing (VAPT) activity by an organization. Shashwat Solutions conducted VAPT on this organization’s cloud and information systems assets as a part of ISO27001 compliance and system audit as requested by this organization’s director. This activity helps the organization to timely protect its information systems from possible zero day attack, assess and patch their information systems vulnerability after exploiting it if permissible and enhance the organization’s security infrastructure.

Investigation

As a part of security policy compliance, the above ABC organization’s VAPT and system audit was conducted by Shashwat Solutions upon the organization’s director and management approval. 

The primary investigation step taken by Shashwat Solutions was revival of policies signed by the organization with the cloud provider since the organization was using public cloud services. In this process, we followed the recommended process provided by the cloud provider Amazon. Also, as a part of this process, we identified the agreeable items to be covered under the pen-testing plan with the organization’s application admin team. Additionally, we selected the required pen testing tools to identify misconfigurations and flaws in this organization’s AWS cloud and buckets.   

We conducted a range of AWS pen testing specific tests such as EC2 instance and application exploitation, testing AWS IAM keys vulnerability including S3 bucket configuration and permissions flaws. During this process, we discovered that two AWS buckets purchased recently by the organization’s IT team were misconfigured for public access, downloadable to anyone who entered the buckets’ web addresses into their internet browser. The buckets titled “clientele-docs” and “clientele-rescue_ssl” revealed significant highly sensitive internal information of the organization’s clients which were maintained by account named “abcitmang001” a possible indication of the buckets’ origin.

We found significant sensitive data in the above misconfigured cloud. In one of them, the “clientele-docs” AWS bucket  displayed a large amount of database that included sensitive records of organization’s clients, whereas in the “clientele-rescue_ssl” bucket, there was folder named client.aws.abc.com. This folder included “Cloud_File_Store_Rescue_Key”, where several private keys, as well as certificates to decrypt traffic between the above organization and its clients.      

Further it was found during VAPT that the above credentials related to rescue request was linked with the organization’s access to Google cloud server client’s shared data. This vulnerability could give an attacker a chance to compromise the organization’s client’s cloud assets and their network. 

Thus, this VAPT activity helped Shashwat Solutions to identify the security flaw in the organization’s AWS Bucket and its network. Shashwat Solutions further guided the organization’s IT manager in patching this vulnerability urgently to protect the organization’s cloud assets and its network from malicious actor’s attacks.

Analysis

After conducting VAPT of the organization’s AWS cloud environment and it’s information systems, Shashwat Solutions documented report of findings and provided with remediation recommendations to the organization. The report enumerated the risk findings in the organization’s AWS environment including the organization’s network. In one of those risks, we highlighted the above incidence as potential severe high risk which has more likelihood of an exploit from bad actor having greater potential impact on the organization. 

Also, we performed a surprise retest verify remediation before the closure of VAPT project of the organization as critical finding was discovered by us. We professionally consulted the organization’s IT manager and suggested him to stay vigilant and check the organization’s new cloud bucket configurations from time to time. We recommended him possible best practice of setting up a regular schedule to check for inappropriate permissions in cloud apart from scanning network. Also, we directed him in ways of securing his organization’s sensitive information.

Additionally, this organization’s IT manager quietly secured the servers the very moment this incidence came to light. It subsequently shows due to slight carelessness of the IT manager, it could have costed this organization dearly exposing organization’s crucial data and posing serious risk consequences. 

Finally, this cloud leak incidence shows that even the most advanced and secure enterprises can expose sensitive data posing serious risk consequences. It could have led to serious and disastrous consequences such as loss of organization’s goodwill, compromise client’s business environments and heavy amount of financial damage across the entire organization’s business partners.

Thus, this VAPT activity conducted for this organization helped them to secure their data against exposures of the above type of incidence.

Client Testimonials

Know  what our customers have to say about us.

Our Clients