Oh, the Monday blues. You start the week moody because the weekend is over, though the feeling typically subsides once you're in the office. But for the 106 million people with stolen data affected by the Capital One data breach, the Monday blues on July 29 were dark indeed.
That's when Capital One first announced it had determined "there was unauthorized access by an outside individual who obtained certain types of personal information" relating to its customers on July 19, 2019. The compromised data included names, addresses, phone numbers, self-reported income, credit scores, and payment histories, among other personal information belonging to approximately 100 million customers in the United States and 6 million in Canada. The alleged perpetrator of this breach, Paige Thompson, has already been arrested by federal law enforcement.
The team at Digital Shadows has been closely following the indictment and the resulting fallout, including the media coverage. Using the MITRE ATT&CK and PRE-ATT&CK framework, we've identified what we know and a number of practical steps to help security teams avoid similar situations.
What We Know
On July 17, 2019, an email was received by Capital One's responsible disclosure inbox claiming that internal data was posted to GitHub. Capital One's investigation revealed a file time-stamped April 21, 2019, containing the IP address of one of Capital One's cloud instances. Upon review, there were indications that its cloud environment had been compromised by an attacker who subsequently exfiltrated data from it.
Here is what we know about the attacker's process:
1. Initial Access: T1190 Exploit Public-Facing Application, T1133 External Remote Services
Execution: T1059 Command-Line Interface
"A firewall misconfiguration permitted commands to reach and be executed by that server," according to the indictment. It is unclear precisely which misconfiguration was used to compromise the cloud instance but there are some possibilities:
- A vulnerable web application was inadvertently exposed to the Internet and exploited, possibly via a server-side request forgery attack.
- A remote access service was inadvertently exposed to the Internet with no or weak credentials.
Mitigation: It's critical to continuously assess cloud environments for security issues, especially those at risk of external access from the public Internet. Reviewing security group configurations regularly can help ensure that services are not accidentally exposed and access controls are correctly applied.
2. Credential Access: T1098 Account Manipulation
The attacker was able to gain unauthorized access to temporary role credentials once in Capital One's cloud instance. Three commands were retrieved from the GitHub file, according to the indictment, which the attacker used for post-exploitation activities. Temporary credentials were generated by the first command.
Mitigation: When an authorized entity, such as a user or an application, requires access to an AWS service, the identity access management (IAM) system issues a set of temporary credentials. However, continuously monitoring these credential sets is challenging in complex cloud environments due to their dynamic nature. Although it does take significant effort to make this mitigation technique work effectively, it can prove effective when dealing with an infiltration.
3. Discovery: T1007 System Service Discovery
The second post-exploitation command was to list the Amazon S3 buckets that the attacker assumed they had access to given their identity.
Mitigation: While real-time alerting is an issue, AWS CloudTrail logging can help an organization track this type of activity. CloudTrail keeps a log of activity on your AWS account and stores it in an S3 bucket for you for further analysis.
4. Exfiltration: T1048 Exfiltration Over Alternative Protocol
According to the indictment, syncing the S3 bucket contents with an attacker-controlled server was the third post-exploitation command executed. This relied on access granted via the assumed identity providing the attacker with access to more than 700 buckets.
Mitigation: As with the previous issue, AWS CloudTrail logging can help an organization track this type of activity, despite the real-time alerting issue.
5. PRE-ATT&CK Establish and Maintain Infrastructure
T1329 Acquire and/or Use Third-Party Infrastructure Services
The attacker used a combination of Tor and IPredator (a paid VPN provider) to hide her network identity when attacking the Capital One cloud environment, as stated in the indictment.
Mitigation: Whitelisting access to resources from a set of known-good IP addresses, if possible, can help prevent unauthorized access. IP whitelisting should only be used in conjunction with other, strong authentication mechanisms — it can only be applied in environments where it is known from where an authorized user will be accessing an environment.
What We Don't Know
The attacker worked for Amazon in the past so the "insider" angle has been played up in the media. However, the indictment does not imply that the attacker had any privileged access based on previous employment. Instead, it appears that the attacker used her knowledge and experience to exploit a vulnerability in the misconfigured firewall.
The attacker's motives remain unconfirmed. While many data breaches conducted against banks are financially motivated, the Capital One hack was publicized by the attacker, a known member of a hacking club. It is possible that this hack was conducted for personal motives, but details are still unfolding.