Cloud services have been of enormous benefit to enterprises by delivering infrastructure and applications without the overhead of owning and operating complex IT systems. However, the more we use them, the more apparent it becomes that by introducing additional abstraction layers and interdependencies for infrastructure, applications and authentication, cloud services expose users to significant unforeseen security vulnerabilities. These generally seep through the seams been service providers and their customers and exploit the often transitive nature of access rights within a multi-tenant cloud service.
One example is the Capital One exploit that I detailed last month in which an extremely skillful hacker, who gained detailed knowledge of cloud service internals by working at AWS, used a simple configuration mistake and some convoluted security properties of an AWS feature to comb through the data of a cloud-savvy organization like Capital One looking for extractable nuggets. Another example of the unintended consequence of cloud service usage was unearthed by indefatigable security researcher Brian Krebs and shows how your weakest security link can be someone you’ve never heard of, but happens to be a customer of a cloud service provider you also employ. Think of it as the cloud version of “the friend of your friend is your enemy.”
SaaS multi-tenancy is a phishers delight
The attack Krebs discovered involved using SaaS CRM services as a juicy target to launch phishing campaigns by exploiting weaknesses by third parties to execute convincing phishing emails against another company’s customers, an ingenious move I characterized as the double bank shot.
The attack flow is hard to follow, so I’ve captured the basics in the diagram below, but essentially went like this:
- ‘Your company’, United Rentals (UR) in this case, hires a third-party marketing firm to conduct promotional campaigns, some of which occur via email to customers.
- The same marketing firm, here it’s Pardot, also has many other clients, some of whom are smaller firms with weak cyber security. Like you, Pardot uses Salesforce.com for CRM and you grant them access to your customer list to use as targets for promotional emails.
- UR dedicates a DNS subdomain (something like rentalsnow.unitedrental.com) for use by the CRM provider to send messages that appear to come from it. Although UR owns the namespace, the email content is generated and sent by the CRM system and the configuration and security is done by the CRM subcontractor, Pardot in this case.
- Meanwhile, the third-party marketing firm unknown to UR also uses the Pardot service with Salesforce as a backend for its marketing activity.
- Attackers compromise one or more accounts at the small marketing company which they use access to Pardot’s systems and ultimately their Salesforce back-end, which includes UR customer lists and its email interface.
- From there, the attackers generate phishing emails with a malware payload or link targeting UR customers, i.e. ‘your company’ in the diagram below, that appear to come from UR.
- UR is unaware of the phishing emails until it hears from angry or confused customers wondering why they are being pestered about an unpaid invoice.
According to a response from UR’s privacy division to Krebs’ questions (emphasis added):
Based on current knowledge, we believe that an unauthorized party gained access to a vendor platform United Rentals uses in connection with designing and executing email campaigns. The unauthorized party was able to send a phishing email that appears to be from United Rentals through this platform. The phishing email contained links to a purported invoice that, if clicked on, could deliver malware to the recipient’s system. While our investigation is continuing, we currently have no reason to believe that there was unauthorized access to the United Rentals systems used by customers, or to any internal United Rentals systems.
In other words, UR and its customers were the victims of weaknesses in customer isolation by a cloud service provider combined with security mistakes by an unknown third party.
Lest it seem like I'm picking on Salesforce.com as a juicy conduit for phishing emails, another technique targets quirks in the configuration of cloud email services like Office 365 and GSuite. The exploit can bypass the spam filters of companies using these services by purposefully misconfiguring the email setup of another account on the same service to route mail for any domain hosted there. While Microsoft provides settings that can thwart such techniques, as the author of the linked post notes, these are so restrictive that they often result in blocking that's too aggressive which can lead to executives missing an important message, which creates a "resume generating event for mail administrators."
The United Rentals incident isn’t the first time that hackers have used SaaS systems to attack a company’s customers. Krebs documented other phishing attacks using Workday to trick victims into revealing their login credentials. In this scenario, attackers peruse the Workday site making a list of the customers it boasts about in marketing the service. Phishers do some testing to find those Workday users not using multi-factor authentication and then send well-crafted emails to C-level executives at these firms purporting to come from Workday asking them to login and approve something or address a problem.
Phishing for SaaS
The phishing messages are extremely persuasive, since as Krebs points out, the Workday site once made it easy to find an HTML template for the target company’s login screen. My testing shows that Workday closed this loophole, but finding target Workday login pages is quite simple using Web searches or by randomly entering “myworkday.com/companyname’ in a browser. As Krebs illustrates, substituting “Netflix” for “companyname” above yields a Google OAuth page, a login system that has already been exploited by phishers. Using other company names or abbreviations often brings up a customized Workday login screen. In either case, by mimicking the UI and obfuscating the URL, phishers can fool many victims into revealing their credentials, thereby granting the attacker executive-level access to their company’s HR system.
While SaaS providers are fertile ground for phishers looking for digital identities, they aren’t the only third-party services that expose users to security threats. As I pointed out a few months ago, the infamous Target credit card theft started with attackers cracking the systems of an obscure HVAC vendor, from where they wormed into Target’s internal payment network and point of sale systems. Indeed, attacking third-party payment processors is the most common way of harvesting credit card numbers from a large retailer. According to Krebs:
Nine times out of ten, when a financial institution can’t figure out the source of a breach related to a batch of fraudulent credit card transactions, the culprit is one of these third-party POS providers. And in the vast majority of cases, a review of the suspect POS provider shows that they list every one of their customers somewhere on their site.
Putting cloud security in perspective
The success of ransomware and payment card fraud at monetizing identity theft and the similar effectiveness of targeted phishing campaigns at delivering malware has contributed to a steady increase in phishing attacks as documented by the latest Phishing Activity Trends Report by Anti-Phishing Working Group (APWG). There is a simultaneous increase in the sophistication of such attacks, as evidenced by the incidents documented here and a significant increase in the number of phishing URLs that use HTTPS to give victims a false sense of security. Another report by Phishlabs also notes that schemes credential theft now account for the majority of phishing attacks.
Even though the attacks documented here exploited weaknesses in cloud security implementations, they don’t undermine the broader argument that the security of cloud systems and service writ large is better than that found in the vast majority of enterprises. Indeed, a recent vendor survey on cloud security shows that the cloud’s security benefits are now acknowledged by most C-level technology evolution executives. The survey found that “61 percent of security professionals believe the risk of a security breach is the same or lower in cloud environments compared to on-premise,” even though 37 percent of them continue to have serious concerns about cloud security. These center on the risk of losing sensitive customer data, the growing sophistication of cyber criminals (which we have documented here and in previous columns) and a higher number of threat vectors when using cloud services (which we again saw in the United Rentals incident).
Cyber security has always been a never-ending game of whack-a-mole and the use of cloud services merely shifts to a different venue. Indeed, while the cloud vendors have been extraordinarily successful at plugging holes in conventional infrastructure, by releasing new services, with entirely new software interfaces and more complicated role-based security models they open new avenues of attack. Furthermore, by federating user authentication and allowing identity and credentials to span multiple providers, cloud services create a transitive security model that can leave one user exposed by virtue of vulnerabilities and mistakes at another.
All of these shortcomings are the result of growing pains, where the pace of technological change outpaces that of sound governance and security controls. However, the situation also means that cloud users must redouble their security efforts, which the Nominet survey fortunately shows them doing. Likewise, incidents such as the phishing attack described here, along with previous, non-cloud enabled exploits perpetrated on contract vendors underscore the need to more thoroughly vet third-party vendors the organizations allow inside their private networks or let access their cloud infrastructure and applications. In the cloud era, there’s no trust, only verify.