The San Francisco-based company is used by more than 12 million people around the world. Among its more than 2,000 corporate clients are companies like Dell, Pinterest, and Yelp as well as hundreds of software-as-a-service firms and software vendors. Amazon Wed, Cisco Webex, Google Analytic, LinkedIn, and Microsoft Office 365, are all linked to OneLogin.
But on May 31st Alvaro Hoyos who heads the company’s risk management, security and compliance efforts, posted a blog saying that OneLogin had detected that a hacker had accessed the company’s system.
“Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017, around 2 am PST,” he said. “Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance.”
He said that affected instances, as well as the AWS keys that were used to create it, were immediately shut down.
Hackers may have been able to decrypt customer data, but it is still unclear how many customers were affected by the attack.
“The threat actor was able to access database tables that contain information about users, apps, and various types of keys,” said Hoyos. “While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.”
At least one head of a cloud security company is saying that this incident and a string of other breaches serve to highlight the reality that the cloud remains insecure.
“This leak brings to the forefront the topic of shared responsibility, which cloud providers have been preaching for many years,” said Varun Badhwar, CEO, and co-founder of RedLock. “The problem is not that the cloud is insecure, but ultimately customers are responsible for securely configuring their networks, applications, and data.”
RedLock is a Menlo Park, Calif.-based cloud infrastructure security firm. It helps organizations automate the attack detection and remediation. RedRock also offers solutions for investigating any security misconfigurations that can risk leakage of data from cloud environments.
Recently, RedLock released a new research showing that 40 per cent of organizations have at least one cloud storage service, such as AWS S3, that is “inadvertently exposed to the public due to misconfiguration.”
The company also found that 63 per cent of access keys had not been rotated in over 90 days, making it easy for malicious actors to leverage compromised keys to infiltrate cloud environments as privileged users – this is actually what happened in the case OneLogin, according to RedLock.
“It turns out the OneLogin security breach occurred due to the AWS access keys to the OneLogin production environment being compromised,” said Badhwar.
It is not uncommon for AWS access keys to be exposed. The RedLock CSI team has already reported such incidents to dozens of organizations whereby their AWS access keys were exposed on their public Web sites, source code repositories, unprotected Kubernetes dashboards, and other such forums, according to the RedLock executive.
In order to avoid an attack like the one experienced by OneLogin, he said, organizations need to do the following:
- Treat AWS access keys as the most sensitive crown jewels, and educate developers to avoid leaking such keys in public forums
- Enforce periodic access key rotation
- Create unique keys for each external service, and restrict access following the principle of least privilege
- Deploy solutions that can detect and prevent exposure or misuse of such access keys
- Ensure capabilities exist to rapidly perform investigations, should a breach occur
“Organizations adopting cloud services must ensure they have complete visibility into the network traffic, system configurations and user activities across all their cloud infrastructure environments,” said Badhwar. “It’s easy for developers to make mistakes when environments are constantly changing.”
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…