Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

Capital One Breach: What Security Teams Can Do Now

Knowing the methods of the attacker, as laid out in the federal indictment, allow us to prevent similar attacks.

Oh, the Monday blues. You start the week moody because the weekend is over, though the feeling typically subsides once you're in the office. But for the 106 million people with stolen data affected by the Capital One data breach, the Monday blues on July 29 were dark indeed.  

That's when Capital One first announced it had determined "there was unauthorized access by an outside individual who obtained certain types of personal information" relating to its customers on July 19, 2019. The compromised data included names, addresses, phone numbers, self-reported income, credit scores, and payment histories, among other personal information belonging to approximately 100 million customers in the United States and 6 million in Canada. The alleged perpetrator of this breach, Paige Thompson, has already been arrested by federal law enforcement.

The team at Digital Shadows has been closely following the indictment and the resulting fallout, including the media coverage. Using the MITRE ATT&CK and PRE-ATT&CK framework, we've identified what we know and a number of practical steps to help security teams avoid similar situations.

What We Know
On July 17, 2019, an email was received by Capital One's responsible disclosure inbox claiming that internal data was posted to GitHub. Capital One's investigation revealed a file time-stamped April 21, 2019, containing the IP address of one of Capital One's cloud instances. Upon review, there were indications that its cloud environment had been compromised by an attacker who subsequently exfiltrated data from it.

Here is what we know about the attacker's process:

1. Initial Access: T1190 Exploit Public-Facing Application, T1133 External Remote Services
Execution: T1059 Command-Line Interface
"A firewall misconfiguration permitted commands to reach and be executed by that server," according to the indictment. It is unclear precisely which misconfiguration was used to compromise the cloud instance but there are some possibilities:

  • A vulnerable web application was inadvertently exposed to the Internet and exploited, possibly via a server-side request forgery attack.
  • A remote access service was inadvertently exposed to the Internet with no or weak credentials.

Mitigation: It's critical to continuously assess cloud environments for security issues, especially those at risk of external access from the public Internet. Reviewing security group configurations regularly can help ensure that services are not accidentally exposed and access controls are correctly applied.

2. Credential Access: T1098 Account Manipulation
The attacker was able to gain unauthorized access to temporary role credentials once in Capital One's cloud instance. Three commands were retrieved from the GitHub file, according to the indictment, which the attacker used for post-exploitation activities. Temporary credentials were generated by the first command.

Mitigation: When an authorized entity, such as a user or an application, requires access to an AWS service, the identity access management (IAM) system issues a set of temporary credentials. However, continuously monitoring these credential sets is challenging in complex cloud environments due to their dynamic nature. Although it does take significant effort to make this mitigation technique work effectively, it can prove effective when dealing with an infiltration.

3. Discovery: T1007 System Service Discovery
The second post-exploitation command was to list the Amazon S3 buckets that the attacker assumed they had access to given their identity.

Mitigation: While real-time alerting is an issue, AWS CloudTrail logging can help an organization track this type of activity. CloudTrail keeps a log of activity on your AWS account and stores it in an S3 bucket for you for further analysis.

4. Exfiltration: T1048 Exfiltration Over Alternative Protocol
According to the indictment, syncing the S3 bucket contents with an attacker-controlled server was the third post-exploitation command executed. This relied on access granted via the assumed identity providing the attacker with access to more than 700 buckets.

Mitigation: As with the previous issue, AWS CloudTrail logging can help an organization track this type of activity, despite the real-time alerting issue.

5. PRE-ATT&CK Establish and Maintain Infrastructure
T1329 Acquire and/or Use Third-Party Infrastructure Services
The attacker used a combination of Tor and IPredator (a paid VPN provider) to hide her network identity when attacking the Capital One cloud environment, as stated in the indictment.

Mitigation: Whitelisting access to resources from a set of known-good IP addresses, if possible, can help prevent unauthorized access. IP whitelisting should only be used in conjunction with other, strong authentication mechanisms — it can only be applied in environments where it is known from where an authorized user will be accessing an environment.

What We Don't Know
The attacker worked for Amazon in the past so the "insider" angle has been played up in the media. However, the indictment does not imply that the attacker had any privileged access based on previous employment. Instead, it appears that the attacker used her knowledge and experience to exploit a vulnerability in the misconfigured firewall. 

The attacker's motives remain unconfirmed. While many data breaches conducted against banks are financially motivated, the Capital One hack was publicized by the attacker, a known member of a hacking club. It is possible that this hack was conducted for personal motives, but details are still unfolding.

Related Content:

Richard Gold is a hands-on information security professional who has over a decade's worth of experience in understanding and securing computer networks. With his background as a Certified SCADA Security Architect and a Ph.D. in computer networking, Richard uses knowledge ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/27/2019 | 10:18:55 AM
Re: Some people

"Amazon Web Services "was not compromised in any way and functioned as designed," Amazon said in a statement, adding that the reason for the breach was a misconfiguration of firewall settings managed on the cloud server by Capital One, not a vulnerability in the cloud server itself."

This was done intentionally because of the WAF's configuration, it has to be configured to allow such entry (she had insider knowledge). She intentionally modified permissions from the AWS WAF-Role to allow for this type of attack. One thing that they left out, how did she gain access to the AWS cloud environment when the SG (Security Groups) and VPN access should have blocked this intrusion from an mgmt standpoint (again another area of weak security rules and no one reviewing the work).

Also, there is something that was left out, if they (Capital-One) were not notified of the incident and she did not share her experience online, then how long would this have gone on before they would have known (years)?

This is what I mean by organizations who have been lax in their security mechanisms even though they profess to ensure data integrity at all costs (why didn't they know about customer account data being moved or copied, NSA had the same problem with Ed Snowden, if he had not said anything to the public, they would have never known, seems as though history is repeating itself and we continue to miss our lessons-learned).


User Rank: Ninja
8/25/2019 | 9:16:30 AM
Excellent write up
Excellent write-up, you brought up some valid and key points. One thing that may have been overlooked by Capital one is that this may have been planned from the beginning. But I do think the infiltration or compromise was much easier than that.

When she worked for capital one, she intentionally created a back door where she had implemented credentials under another name as well as misconfigured the WAF intentionally; remember, she had full access to the security section of AWS therefore she had access to all of the access and secret keys. But it will be interesting to see what unfolds in the next few months as more case information is brought to the public.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.