There have been numerous data leaks recently due to misconfigured cloud environments, most notably ElasticSearch and Amazon S3. Gartner predicted that 95% of cloud security failures will be due to misconfigured clouds in 2020 earlier this year and these exposures are indicators of that coming true. Be sure to review security best practices for all your cloud environments, especially Amazon S3 and ElasticSearch.
Technical detail and additional information
What is the threat?
In the past week, there have been major data exposure incidents due to unsecured cloud-based databases. A security researcher, Bob Diachenko, discovered a large ElasticSearch database that had no password protection. This database contained a total of 2.7 billion email addresses, with 1 billion of those that included passwords in clear text. The emails that came with passwords were also confirmed to be a part of a major data breach that occurred back in 2017, which involved them being sold on the Dark Web. Diachenko reported the database and it was ultimately taken down, but the confidential information had been wide open to the public for at least a week. The rise in unsecured databases found by researches is an indicator that threat actors are also accessing the same or similar unauthorized information.
In another instance, 800,000 birth certificate applications were found online by researchers at Fidus Information Security. These applications were exposed by an unnamed company whose service is to supply individuals with copies of birth and death certificates. The applications were found on the Amazon Web Services cloud platform with no password protection. Anyone who could guess the URL was able to access these records which contained personally identifiable information (PII). The highly sensitive material includes email addresses, phone numbers, birthdays, home addresses, historical data, and family member information. Due to this personal data being so publicly accessible, the severity and exposure to attackers increases dramatically which can cause serious damage for all individuals involved.
Why is this noteworthy?
Amazon Web Services S3 and ElasticSearch are highly reputable services and widely used by many individuals. Since cloud storage services are easier to maintain for all information and resources, many people have shifted towards this way of preserving sensitive data regardless of the risk of confidential exposure.
What is the exposure or risk?
Misconfigured services have led to billions of emails, passwords, and hundreds of thousands of birth certificates being exposed to the general public. This exposed data is susceptible to fraud and identify theft. With full control, attackers can copy and exfiltrate the data to use it for malicious intent. Attackers can use email addresses for social engineering tactics such as phishing attempts. The personal information found can be used to access online banking accounts and credit card data to make illegal transactions on behalf of the individual. These cybercriminals end up gaining access to multiple services that should only be attainable for the respected users.
What are the recommendations?
- Access controls and encryption methods should be enabled to protect your data.
- Multifactor Authentication should always be enabled to restrict access to management consoles and privileged accounts.
- Organizations must be aware of what they oversee in terms of managing data, access controls, and identity policies. Major security providers offer the tools for encrypting your data, but it is up to the organization to enable the protection and put it to efficient use.
- Enable security logging and monitoring to keep track of any unauthorized access attempts, configuration changes, and auditing purposes. AWS CloudTrail can be used to audit AWS environments. This can be configured to an organizations SIEM to send alerts each time AWS S3 buckets are made public or if any changes are made to encryption settings.
For more in-depth information about the recommendations, please visit the following links:
For more information, please contact our Security Operations Center.