Attacks/Breaches

6/20/2014
01:40 PM
50%
50%

Code Hosting Service Shuts Down After Cyber Attack

Code Spaces shuttered its doors after a hacker accessed the company's Amazon EC2 control panel and erased business data and other information.

A code hosting company has shut down following a cyber attack that erased much of its data, backups, machine configurations, and offsite backups.

The company states in a message on its homepage:

Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of ongoing credibility.

Visitors to the Code Spaces website are greeted with a lengthy outline of what happened. On Tuesday, the company explains, Code Spaces was hit by a distributed denial-of-service attack against its servers. Such attacks weren't uncommon. Unfortunately, this time it was just the beginning.

The unknown attacker was able to gain access to Code Spaces' Amazon EC2 control panel, and left a number of messages for the company to contact them using a Hotmail address. Doing so yielded an extortion demand. When the company realized the attacker had access to the EC2 control panel, further investigation revealed the person also had access to the data in the company's systems, although no machine access occurred, because the intruder did not have the private keys.

The company statement continues:

At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel. We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances.

Patrick Thomas, security consultant for Neohapsis, calls the situation a "nightmare scenario" for cloud services companies:

This is a wakeup call to other organizations that have critical assets on cloud services. Two-factor authentication and detailed event monitoring and alerting are essential components of any cloud strategy.

Offsite backups have been considered a necessary operating procedure for any sensitive data, but in the age of cloud infrastructure many organizations think that they can simply pass the buck on backups, getting their geographic distribution and redundancy for free as part of going to the cloud. However, anything that's vulnerable to the same threats isn't fulfilling the original intent of offsite backups. Perhaps it makes more sense to start talking in terms of diversified backups, to emphasize the broad types of threats that a backup strategy must mitigate.

Jim Reavis, chief executive officer of the Cloud Security Alliance, stresses that DDoS attacks and other malicious activity have caused business outages and shutdowns before among companies using traditional IT, and that cloud computing itself was hardly a factor in exacerbating Code Spaces' demise. He told me in an email:

Cloud users of IaaS [infrastructure-as-a-service] like Code Spaces have significant responsibilities in implementing security best practices to protect their system availability and proprietary information, as we have outlined in our security guidance and controls framework. At a high level, tenancy with a robust cloud computing infrastructure should provide greater pipes to withstand DDoS attacks than a small business could afford.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
7/3/2014 | 2:37:23 PM
Good advice here....
Good advice hewre from Nethapsis Patrick Thomas against threat of attack in the cloud. 
ebyjeeby
50%
50%
ebyjeeby,
User Rank: Strategist
6/23/2014 | 2:48:03 PM
more security
Sounds like dual-control may be needed - a second person logging on to approve changes - at least for adding another admin and deleting important items
Andre Leonard
50%
50%
Andre Leonard,
User Rank: Strategist
6/23/2014 | 10:18:30 AM
Redundant back-up.
" Perhaps it makes more sense to start talking in terms of diversified backups, to emphasize the broad types of threats that a backup strategy must mitigate."

Sad it's come to this. Cloud only back-up do present certian limitations.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
6/22/2014 | 9:47:15 AM
Re: AWS the Right Platform?
I think the truth lies somewhere between your hypothesis and the published story.  

I would say the most logical explanation is that they simply do not have the ability or desire to fight the attack.
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/21/2014 | 3:03:10 AM
Re: AWS the Right Platform?
@TalKlein

While you're right, it's more than just that for me.  Certainly mirrors/offsites are not also available for deletion the the AWS EC2 control panel?  That is more what astounds me than anything - I just find it hard to swallow that a cyber attack erased mirrored backups and offsite backups.  I'd want to read more about the incident before being too suspicious, but again, with many a tried/true source code repository platform out there, this scenario reads strangely; either AWS is the wrong platform for a code sharing infrastructure, or something else is going on.  I guess what I'm getting at is, if a mistake was made, own up to it - we've all been there and learned from it - and if not, then perhaps some fresh eyes need to look at AWS and how the services are set up.  Let's not let our customers (as IT) shoot themselves in the foot on something so basic as how data is backed up and mirrored.   
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/21/2014 | 2:03:48 AM
Re: AWS the Right Platform?
You're making the age old case for delegated admin which looks great on paper, but we all know that in reality any company for whom security isn't a core competency will have an administrator who dips their feet in two ponds. In general we must design for failure, which means:

1. Assume administrators are human and therefore gullible

2. Develop a proper mechanism for valuating data

3. Build security models around behavioral risk modeling rather than linear detection

Until we solve for these tenants, life in the mobius strip remains the status quo.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/20/2014 | 7:20:05 PM
AWS the Right Platform?
I wonder at a source code hosting service being framed upon AWS. When it comes to cloud platforms and the type of infrastructure that should be deployed there, I wouldn't have pegged AWS as right for this, though Bitnami has a Gitorious AWS package which seems to be gaining ground. When I think of GitHub, Gitorious, Launchpad, GNU Savannah, GForge and SourceForge - the last thing I imagine is this scenario where the body of decades of valuable free and open source software (FOSS) programming goes down the drain. I love the cloud as much as the next person, but I also believe there are certain properties that need to be hosted more securely, and also propagated across multiple, "untouchable" mirrors. Simply astounding, and almost suspect, that something like this would even be possible with the source code hosting platforms we currently have out there that have stood the test of time (for the most part).
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Santa: "How about a unicorn coming out of a monitor instead?"
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.