Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. threat analysis, news and alerts.

Capital One Data Breach Aftermath: 3 Cyber Threats that Every Organization Should be Mindful

8/4/2019

0 Comments

 
capital one data breach aftermath

Capital One Data Breach Aftermath: 3 Cyber Threats that Every Organization Should be Mindful 

The data breach at Capital One Financial Corporation, the data breach that affected approximately 100 million individuals in the U.S. and approximately 6 million in Canada, throws light into 3 cyber threats that every organization using the public cloud should be mindful: account takeover attack, attack on misconfigured web application firewall (WAF) and Server-Side Request Forgery (SSRF) attack.

Large enterprises like Capital One build their own web applications on top of Amazon’s cloud services to answer to their specific needs. Amazon told the New York Timesit had found no evidence of compromise on its underlying cloud services. The company added that its customers fully control the web applications that they built.

Last July 29th, the U.S. Department of Justicearrested a Seattle resident for the intrusion on the stored data of Capital One. The arrest of the Seattle resident came as an offshoot of an email sent to the official email for responsible disclosure of Capital One. The tipster wrote that someone’s GitHub account was exposing data which appeared to belong to Capital One.

In the indictment document, Joel Martini, Special Agent at the U.S. Federal Bureau of Investigation (FBI) stated that the exposed data was verified to belong to Capital One and the GitHub account was traced to belong to the accused Seattle resident, who goes with the handle “erratic” in her Twitter and Slack accounts. A review of June 26, 2019 Slack postings, FBI Special Agent Martini said, showed that Erratic claimed to be in possession of files belonging to several companies, government entities and educational institutions, and one of these files was associated with Capital One.

Capital One, in a statement, said that it had fixed the “configuration vulnerability” that was exploited in the data breach. Publicly-available data and new information, however, show that more than one cyber threats were exploited in the Capital One data breach.

1. Account Takeover

Account takeover refers to the access of someone else’s online account for malicious purposes. In the indictment, FBI Special Agent Martini stated that the file that was publicly exposed by Erratic in her GitHub account contained a list of more than 700 folders and code for three commands.

The first command, when executed, provides login details to an account that enabled access to certain storage space of Capital One at Amazon cloud service. The said account, which had the necessary permissions, was used to extract or copy Capital One’s data. The indictment didn’t mention how the accused got hold of the login details of the account used to access Capital One’s data.

2. Misconfigured Web Application Firewall (WAF)

Web application firewall (WAF) filters, monitors and blocks traffic between a web application and the internet. A properly configured WAF blacklists and/or whitelists traffic to and from a web application.

A WAF that operates based on a blacklist, also known as negative security model, blocks traffic that doesn’t meet the predetermined qualifications. A WAF that operates on a whitelist, also known as positive security model, grants entry only to traffic that has been pre-approved. Many of today’s WAF implements both negative security model and positive security model. A typical WAF also protects web applications from attacks such as SQL injection and other common attacks against web applications.

In the indictment document, FBI Special Agent Martini stated that the data breach at Capital One was a result of a misconfigured WAF. Capital One’s logs show a number of connections or attempted connections from IP addresses beginning with 46.246. Specifically, on or about March 12, 2019, Capital One’s logs show IP address beginning in 46.246 attempted to access Capital One’s cloud data. Publicly-available records show that this IP address is controlled by a company that provides VPN services.

Capital One’s logs also show IP addresses believed to be TOR exit nodes accessed Capital One’s cloud data on or about March 22, 2019. A properly configured WAF could have blacklisted IP addresses such as those belonging to the known VPN company. Conversely, a properly configured WAF could have whitelisted only IP address or addresses used by authorized personnel of Capital One. Malicious actors, however, are continually finding creative means in breaking into web applications that are shielded by properly configured WAFs.

3. Server Side Request Forgery (SSRF) Vulnerability

New information has recently been made public about the Capital One data breach. Based on new data, including information from one who is privy to details about the ongoing Capital One breach investigation, during the attack period, Capital One used ModSecurity, an open-source WAF that’s deployed along with the open-source Apache Web server.

The new report said that the Server Side Request Forgery (SSRF) vulnerability was exploited in the Capital One data breach. While ModSecurity protects web applications against many common attack categories, it doesn't protect against SSRF.

MITREdescribes SSRF in this manner: “The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly.”

Prevention

In the case of the Capital One data breach, one can’t say which of the attack methods – account takeover attack, attack on misconfigured WAF or Server-Side Request Forgery (SSRF) attack – played the biggest role in the data breach. These 3 types of threats have their own specific preventive and mitigating measures that every organization using the public cloud should be mindful.

When you need to safeguard your cloud applications, our web application security expert will design the right sized solution and will mitigate common risks within minutes. Contact ustoday and avoid a major breach.

 

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    Social Engineering
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security

    RSS Feed

1.888.900.DRIZ (3749)

Managed Services
Web Application Security
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
About us
Testimonials
​Meet the Team
​Subsidiaries
​
Contact us
​
Blog
Resources & Tools
​Incident Management Playbook
Privacy Policy | CASL
Copyright © 2021 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit