Data/Security Breaches

Part
01
of five
Part
01

AWS - Data Breaches

Some of the most notable security breaches for Amazon Web Services (AWS) were recorded by Uber, Republican National Committee, Election Systems & Software (ES&S), WWE, and Alteryx. These security breaches were chosen as the most notable based on the number of people affected and the sensitivity of the data exposed.

Uber.

  • Hackers, in 2016, accessed GitHub, a private coding site associated with engineers from Uber where they used credentials to access data that was stored on Amazon Web Services (AWS) store.
  • This security breach affected 57 million drivers and customers. Names, mobile phone numbers, email addressed of the affected customers were stolen.
  • Uber was forced to pay a ransom of $100,000 to the hackers to destroy all the copied records.
  • This security breach received a huge uproar since the company had concealed this information from those affected for a year.

Republican National Committee

  • In June 2017, Depp Root Analytic, a Republican-party backed big data company, stored voter profiling data, and personal information on a wide-open S3 server. An engineer working with the company used public storage configuration instead of private, a move that exposed 198 million American voters’ personal data.
  • This security breach provided combined market research data and publicly accessible information of the voters. The information could be used to form matrices that could predict an individual voter’s behavior in the coming election.
  • Personal data exposed by this security breach included the date of birth, home and mailing address, phone numbers, self-reported background, and party affiliation.

Election Systems & Software (ES&S)

  • In August 2017, nearly every registered voter in Chicago had his or her data exposed to the public. This security breach occurred when “ES&S engineer left AWS S3 bucket for public access.”
  • Personal information exposed of the 1.8 voters included names, phone numbers, social security numbers, addresses, and drivers’ licenses.
  • The hacked data was created in 2016 by the Chicago Board of Election Commissioners during the US general elections.
  • The security breach was discovered by UpGuard researchers who reported the leak privately to a government regulator.

WWE

  • In July 2017, personally identifiable information of over 3 million wrestling fans” were exposed.
  • The personal data, which included birthdates, ethnicity, earnings, educational background, email and home addresses, and customers’ children’s genders and age ranges, was available on the AWS S3 server without password or username protection.
  • All data was stored in plain text and anyone who knew the web address was able to search and access the personal information of WWE fans.
  • Bob Dyachenko, from Kromtech — a security firm, was behind the discovery of this security breach and informed WWE about it on July 4, 2017. WWE acted swiftly and made this information inaccessible by removing it from the web.

British Passport Data

  • Information accessible to third-parties include job applications, proof of address, passport scans, criminal records, expenses and benefits forms, emails and private messages, extensive background checks, and tax documents, among others, which are all highly sensitive.
  • According to researchers, this data came from “Dynamic Partners (closed in 2019); Eximius Consultants Ltd, Garraway Consultants (closed in 2014), IQ Consulting, Partners Associates Ltd (closed in 2018), and Winchester Ltd (closed in 2018).”
  • Most of the data was from 2014-2015, although some filed dated back as far as 2011.

Part
02
of five
Part
02

Azure - Data Breaches

Only two data breaches involving Microsoft Azure can be located in the public domain, and they are the exposure of sensitive data from over 80 million American households and the exposure of millions of time-stamped number plate images from Tesco car parks. Both data breaches were due to user configuration errors, not Microsoft Azure security issues. Several Microsoft Azure vulnerabilities, including compromised passwords, Remote Desktop Control vulnerabilities, and the BlackDirect vulnerability, have been uncovered recently, and they are presented below along with the two data breaches.

Data Breaches

1. Exposure of Sensitive Household Data

  • In May 2019, there was a report that an improperly configured, 24-gigabyte Microsoft Azure cloud server database had inadvertently divulged private information from over 80 million households in the United States.
  • Ran Locar and Noam Rotem were the two Israel researchers who discovered the unprotected database and data leak. It appeared the database had been up since February 2019.
  • The number of household members and full name, age, gender, income bracket, marital status, homeowner status, birth date, type of home, and address of each household member were among the sensitive details that were exposed.
  • It was user configuration error, not Microsoft Azure security issues, that had caused the breach. Cloud settings had not been properly configured to satisfy some privacy settings.
  • The database owner had since been informed by Microsoft of the error, and the database had been taken down.

2. Exposure of Number Plate Images

  • In September 2019, there was a report that an unprotected Microsoft Azure Blob linked to Tesco’s parking web app had exposed millions of time-stamped automatic number plate recognition images from 19 Tesco car parks in the United Kingdom.
  • The Azure Blob contained images of vehicles entering and leaving Tesco car parks.
  • Both Azure Blob and parking web app were managed by Ranger Services, a third-party vendor. The Azure Blob was inadvertently left unprotected after it was opened during a scheduled data migration to an AWS data lake.

Uncovered Vulnerabilities

1. Compromised Passwords

  • In the first quarter of 2019, Microsoft’s identity threat research team discovered that compromised passwords on 44 million Microsoft Services and Microsoft Azure Active Directory (AD) accounts were rendering these accounts susceptible to account hijacking.
  • The discovery was made after over 3 billion exposed login credentials were cross-checked against consumer and enterprise credentials on Microsoft. These login credentials were leaked in various security breaches. Data on these security breaches came from multiple sources, including publicly accessible databases and law enforcement.
  • An analysis of these compromised passwords revealed that the issue was reused passwords.
  • In response, Microsoft forced a password reset for these compromised accounts.

2. Vulnerabilities in Remote Desktop Protocol

  • In August 2019, there was a report that specialists from Check Point Research had uncovered 25 vulnerabilities in Microsoft Azure’s Remote Desktop Protocol (RDP), a protocol for accessing other remote Windows machines.
  • Attackers could exploit these vulnerabilities to create, view, change, or delete data or accounts, and “execute code arbitrary in the target system.”

3. BlackDirect Vulnerability

  • In December 2019, there was a report that security experts from CyberArk, a cybersecurity firm, had uncovered a serious Microsoft Azure vulnerability that permits malicious attackers to control Azure user accounts.
  • The vulnerability, named BlackDirect, involves the OAuth 2.0 applications of Microsoft. The security experts from CyberArk found that these applications permit attackers to take over a victim’s Azure account and use the victim’s permissions for their own interests.
  • OAuth is an authorization protocol that allows users to grant third-party applications or websites to access these users' information. OAuth 2.0, on the other hand, is a version of OAuth that enables third-party applications to “grant limited access to an HTTP service.”
  • According to the CyberArk security analysts, the fact that OAuth applications “trust domains and sub-domains that are not registered on Microsoft” is what makes it possible for attackers to acquire an Azure user’s permission and obtain access to Active Directory and other Azure resources.
  • An attacker who takes advantage of this BlackDirect vulnerability can steal sensitive data, endanger production servers, manipulate data, and encrypt data via ransomware.

Research Strategy

We were able to locate only two data breaches for Microsoft Azure. In finding Microsoft Azure’s most notable security breaches, we employed the following strategies. First, since Azure became commercially available in February 2010, we scoured news articles published as early as that month and year for details about data or security breaches involving Microsoft Azure. Articles published by Help Net Security, Forbes, and CISO Magazine were among the articles we consulted.

Second, we checked if there are databases or reports that regularly track data or security breaches. This led us to the following reports: Microsoft Security Intelligence Reports, Identity Theft Resource Center Data Breach Reports, and Privacy Rights Clearinghouse’s Chronology of Data Breaches. There was no mention of any Azure data breach in these reports, however. Finally, we examined the website of Microsoft for any relevant press releases. All that we were able to find with these three strategies, however, were two data breaches and several uncovered vulnerabilities. The financial impact of each of these two data breaches is not publicly available.
Part
03
of five
Part
03

Google Cloud - Data Breaches

The National Security Agency (NSA) infiltration in 2013, Volusion incident in October 2019 and the 4-terabyte user data discovery in November 2019 were among the notable data breaches for Google Cloud. These are outlined below along with additional findings.

National Security Agency Breach

  • Washington Post reported in October 2013 that the National Security Agency (NSA) has secretly infiltrated major communication links between Yahoo and Google cloud data centers.
  • The breach was revealed by Edward Snowden and verified by other officials.
  • The NSA reportedly positioned itself to collect data from hundreds of millions of user accounts.
  • In a period of 30 days, NSA field collectors allegedly processed over 180 million new records.
  • These included metadata such as sender and recipient emails, date, and email content.
  • NSA was able to breach communication lines through legal loopholes allowed by the MUSCULAR and PRISM programs.
  • These programs confer court-approved front-door access to Google and Yahoo accounts.
  • The leaked documents show that the NSA added and removed SSL in the pathway between public Internet and Google Cloud.
  • The NSA also reportedly tried to filter data from Google Cloud's web crawler.
  • Google chief legal officer David Drummond stated, "We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."

Volusion Google Cloud Platform Attack


Google Cloud 4TB Data Breach


Google Cloud Platform DNS Hijack


Google Cloud PDF Decoy Malware

  • Dark Reading.com reported a concerted series of attacks targeting financial firms using the App Engine Google Cloud Platform on January 2019.
  • The attacks revolved around the delivery of malware using PDF decoys to victim organizations.
  • The URL used to deliver the malware redirected to Google App Engine on Google Cloud Platform to appear legitimate and verified.
  • As Google Cloud Platform is a trusted source among enterprise users, the victims did not realize the threat delivered to their inboxes.
  • The PDF decoy presented a link to enable recipients to view its contents.
  • Once the viewers click the link, they were logged out of Google App Engine and redirected to a landing page where a malicious file is downloaded.
  • The Google Cloud App Engine validated the process all throughout and delivered the malware payload.
  • The attack also executed a second-stage payload to make it more difficult to analyze.
  • According to security researcher Ashwin Vamshi, "The usage of themed PDF decoys with enticing emails is a perfect choice since the payload seems to be originating from a trusted source, and popular PDF viewers enable users to easily whitelist domains."
  • Around 42 organizations were attacked by the PDF decoy malware.
  • Most were from the financial sector including OmniPay, Travelex and Accuity among others.
  • Government departments were also targeted including the Indian Ministry of External Affairs.
  • Dark Reading.com reported that the attack was linked to the threat group Cobalt Strike.
  • Google has been notified of the attack on its Google Cloud Platform.
  • However, no further action to improve the validation process of the GCP redirector was reported at the time.
Part
04
of five
Part
04

IBM Cloud - Data Breaches

IBM Cloud has suffered data breach attacks from Chinese hackers in 2018 and 2019. These and additional findings are outlined below.

2018 AP10 Attack


2019 Cloudhopper Attack

  • In December 2019, Wall Street Journal reported another attack from the AP10 group against cloud providers including IBM.
  • This time, more cloud providers were named as victims such as CGI Group and Finnish company Tieto Oyj.
  • The incidents were dubbed as "Cloudhopper" attacks and potentially compromised major clients such as American Airlines, Deutsche Bank, GlaxoSmithKline and others.
  • BankInfoSecurity reported that personal records of around 100,000 US Navy personnel were compromised in the Cloudhopper attacks.
  • Similar to earlier attacks, hackers used spear-phishing emails with hidden malicious attachments to infiltrate networks.
  • According to WSJ, HPE reported that the hackers were able to sneak in again after systems have been cleaned.
  • The affected cloud companies were reportedly reticent to work with government investigation, however IBM and HPE both asserted that they were fully cooperative.
  • IBM stated that "We have no evidence that any sensitive corporate data was compromised…We have worked individually with clients who have expressed concerns."

IBM Cloud Vulnerabilities

Apache OpenWhisk Vulnerability
  • In 2018, IBM and Apache identified a critical vulnerability in the open-source serverless platform OpenWhisk which IBM uses to run several cloud functions.
  • The vulnerability allowed hackers to replace the serverless code with malicious script which could be used to extract client data such as credit card numbers, passwords, and other personal information.
  • The system weakness was originally discovered and demonstrated by the PureSec threat research team.
  • An app layer could be exploited to force a re-init request to the local host through different tactics such as a remote-code execution, leveraging a script flaw, and using an SSRF weakness.
  • IBM and Apache both deployed patches to fix the vulnerability in the serverless platform.
Eclypsium 'Bare Metal' Vulnerability
  • In February 2019, IBM acknowledged a "low severity" vulnerability in its Cloud Baseboard Management Controller (BMC) Firmware.
  • According to the company, a hacker with access to its provisioned system could overwrite the firmware of BMC.
  • The vulnerability could set up the next system user for an attack.
  • CBR Online reports that a security specialist firm named Eclypsium demonstrated the vulnerability by successfully implanting susceptibilities via remote access to a "bare metal" IBM Cloud server.
  • While IBM identified the weakness as 'low severity', Eclympsium called the incident as 'critical'.
  • IBM has provided fixes for the vulnerability by forcing a reflash of all BMCs and regeneration of passwords.
IBM Cloud Orchestrator Vulnerability

IBM Cloud Security Measures


Research Strategy

We found only 2 notable data breaches for IBM Cloud. We performed the following research strategies to determine publicly available information on data breaches and cybersecurity attacks:

First, we conducted a press search for news on IBM Cloud attacks and data breaches in the past decade. We searched news releases carefully by year from the time IBM first launched its cloud services (2011). Second, we researched IBM's press releases and news section for any public disclosure of cloud data breaches and attacks. Lastly, we searched trade media sources focusing on data security news such as InfoSecurity Magazine and ThreatPost as well as technology and business news outlets including Wired, TechRadar, Forbes, Reuters, Wall Street Journal, BizJournal and others. The only notable attacks on IBM Cloud were those from 2018 and 2019 perpetrated by Chinese hackers. Other news of cloud attacks were made by cybersecurity agencies to demonstrate vulnerabilities but had no quantified or intentional damage.

These findings have been outlined above. As additional information, we have also provided examples of security measures implemented by the company to protect its cloud assets and services.
Part
05
of five
Part
05

HPE Cloud - Data Breaches

Some of the most notable security breaches for HPE Cloud impacted their clients: Huntington Ingalls, Ericsson, Sabre, and the US Navy. These companies are leaders in their respective industries and service a large group of people, which is why these specific security breaches were also chosen. Additionally, a brief background on the recent "Cloud Hopper Operation" is described as it was largely responsible for these breaches, which started around late 2016. One breach, affecting the US navy, was also added as a separate case due to the number of people affected, the sensitivity of the data exposed, and its connection to the military.

Cloud Hopper Operation Brief Overview

  • "Cloud Hopper, was a hacking campaign in which two Chinese nationals were accused of identity theft and fraud.
  • A 2017 report noted that the Cloud Hopper attacks on managed service providers (MSPs) started around late 2016, and is said to have been carried out by several China-aligned groups, including APT10.
  • The Cloud Hopper attacks globally accessed the intellectual property and sensitive data of different MSPs and their clients.
  • Hewlett Packard Enterprise and IBM were the two MSPs that were initially identified as being compromised from the hack, based on a Reuters report.
  • Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology were later identified as also being compromised. DXC is a services arm spun off from a merger between HPE and Computer Sciences Corporation in 2017.
  • Reuters reported that the "full extent of the damage done by the campaign hasn't been determined yet and many victims are unsure of exactly what information was stolen."

HPE Cloud Breaches and Vulnerabilities

  • After hackers penetrated HPE’s cloud computing service, they "used ‘spear phishing’ email to trick employees into downloading malware or giving away their passwords. The attackers were able to "pilfer a huge volume of corporate and government secrets."
  • Service providers "withheld information from hacked clients, out of concern over legal liability and bad publicity," which undermined corporate and government response to the attacks. Most of the victims remain a closely held secret.
  • HPE reportedly fought Cloud Hopper continually for "at least 5 years and remains vigilant in its efforts to mitigate attacks."
  • Reuters reported that attackers "stole directories of credentials, which allowed them to impersonate HPE employees." Once the MSP was accessed, "the attackers would 'jump' from the MSP network to servers hosting client data."
  • A spokesman for DXC (the services arm of HPE), claims that "neither the company nor any DXC customer whose environment is under their control has experienced a material impact caused by APT10 or any other threat actor.
  • In December 2018, HPE's stock "closed down $0.52 (3.95 %) to $12.65 per share," 30 minutes after the Reuters story on Cloud Hopper came out.

Affected HPE Clients

1. Huntington Ingalls Breach
  • In 2017, HPE investigators found evidence that Huntington Ingalls Industries, a significant client of HPE and the largest U.S. military shipbuilder, was hacked by the Chinese.
  • "Computer systems owned by a subsidiary of Huntington Ingalls were connecting to a foreign server controlled by APT10."
  • Huntington Ingalls executives were concerned that data was accessed from its biggest shipyard, the Newport News, Va., where it builds nuclear-powered submarines.
  • However, a Huntington Ingalls spokeswoman later claimed they were sure that "there was no breach of any HII data via DXC or HPE."
2. Ericsson Breach
  • Another HPE client affected was Ericsson, the Swedish telecommunications' equipment developer.
  • Ericsson has partnered with HPE since 2015.
  • Reports note that there was a persistent and pervasive attack towards at Ericsson, who was up against China's Huawei Technologies to build infrastructure for 5G networks.
  • The attacks also appeared random, as Ericsson could not always tell what data was being targeted. Sometimes, the attackers went through project management information, product manuals, they modified logs and deleted files, and also infected them with malware.
  • In a statement to Reuters, Ericsson's Chief Security Officer Pär Gunnarsson "declined to discuss specific incidents."
3. Sabre Breach
  • Another HPE client that was involved in a breach was Sabre Corp, an American company, which is a leading provider of "reservation systems for tens of thousands of hotels around the world. It also has a comprehensive system for booking air travel, working with hundreds of airlines and 1,500 airports."
  • In 2015, investigators found that "at least four HP machines dedicated to Sabre were tunneling large amounts of data to an external server."
  • Former HPE employees noted that HPE management limited access to the investigation and was reluctant to tell Sabre everything.
  • After an investigation of the breach, a Sabre spokeswoman claimed they found “that there was no loss of traveler data, including no unauthorized access to or acquisition of sensitive protected information, such as payment card data or personally identifiable information.” There was no further comment on "whether any non-traveler data was compromised."
4. 2016 US Navy Breach
  • HPE won a $3.5 billion contract to handle the Navy's communications network from 2013-2018.
  • In 2016, the personal information of thousands of sailors in the U.S. Navy was compromised.
  • The laptop of a Hewlett Packard Enterprise Co. employee was accessed by unknown individuals, who were able "to access the names and social security numbers of 134,386 current and former sailors."
  • During that time, HPE shares dropped 1.8% in trading from 3%.
  • The Navy pressed Hewlett Packard Enterprise to pay for credit monitoring services, however, HPE "declined to comment on the breach, the investigation or whether the company intends to pay for the credit monitoring for sailors."
  • The personal data came from a database known as Career Waypoints (C-WAY), which is used by sailors "to submit requests for re-enlistment and to change Navy Occupational Specialties."

Research Strategy

We were able to locate the four most notable data breaches for HPE Cloud. Three of the breaches were identified from the pervasive "Cloud Hopper" campaign instigated by Chinese hackers, which impacted HPE and their clients, along with other managed service providers.

To identify additional breaches, we scoured news articles for details about data or security breaches involving HPE Cloud. We reviewed different articles, including Reuters, Data Breach Today, Wall Street Journal, CNBC, and others. Next, we checked if some databases or reports tracked data or security breaches. We found Identity Theft Resource Center Data Breach Reports, Selfkey.org, and Privacy Rights Clearinghouse’s Chronology of Data Breaches, but none made any mention of data breaches to HPE. We also examined HPE's website for any relevant press releases and news for any public disclosure of cloud data breaches and attacks. Finally, we expanded the search to also include articles older than 2018, and we found some news articles from 2016 to 2017, which described the 2016 US Navy breach included above.

We also found that managed service providers (such as HPE) and their clients often decline to comment on security breaches, and most victims from these breaches are kept a "closely held secret" and often "withhold information due to concern over legal liability and bad publicity." This is likely the reason why we could only identify four breaches for HPE Cloud.

In all, Huntington Ingalls, Ericsson, Sabre, and the US Navy were chosen as the most notable, as they were also leaders in their respective industries, which include telecommunications, travel and the military. They also service a large group of people who were likely affected by the HPE Cloud breaches.
Sources
Sources

From Part 03
Quotes
  • "Hackers have breached the infrastructure of Volusion, a provider of cloud-hosted online stores, and are delivering malicious code that records and steals payment card details entered by users in online forms."
  • "COMPROMISED GOOGLE CLOUD INFRASTRUCTURE The incident took place this week after hackers gained access to Volusion's Google Cloud infrastructure, where they modified a JavaScript file and included malicious code that logs card details entered in online forms. Volusion is a known Google Cloud Platform customers."
  • "The compromised file is hosted at https://storage.googleapis.com/volusionapi/resources.js [copy], and is loaded on Volusion-based online stores via the /a/j/vnav.js file."
  • "The incident is what cyber-security experts call a Magecart attack or web card skimming, where crooks steal payment card details from online shops, rather than ATMs. These types of hacks have been happening for years, but they've intensified over the past two."
  • "The Volusion incident that's currently underway is the first one traced back to Google Cloud."
Quotes
  • "An unsecured database stored in Google Cloud contained 1.2 billion records. Here's what you should know."
  • "The latest breach of personal information was discovered in October by a security researcher named Vinny Troia. He found almost 4 terabytes of data--about 1.2 billion records--simply sitting in an unsecured Google Cloud server, Wired reported on Friday."
  • "Troia describes the data as a collection of profiles that include home and mobile phone numbers, email addresses, work histories based on LinkedIn profiles, and other social media profiles like Twitter and Facebook. "
  • "Troia says he has notified the FBI and the database was taken offline. He also uploaded the information to www.haveibeenpwned.com, which allows users to identify whether or not their personal data has been included in a data breach."
Quotes
  • "The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials."
  • "In this slide from a National Security Agency presentation on “Google Cloud Exploitation,” a sketch shows where the “Public Internet” meets the internal “Google Cloud” where user data resides. Two engineers with close ties to Google exploded in profanity when they saw the drawing."
  • "In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — including “metadata,” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video."
  • "The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process."
  • "In a statement, Google’s chief legal officer, David Drummond, said the company has “long been concerned about the possibility of this kind of snooping” and has not provided the government with access to its systems. “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he said."
Quotes
  • "Three waves of DNS hijacking attacks against consumer routers have been linked back to Google Cloud Platform abuse."
  • "Hackers have been abusing Google’s cloud computing service to redirect and intercept web and mail traffic on an array of vulnerable consumer routers."
  • "A researcher said that he has seen the Google Cloud Platform being abused to carry out three separate waves of DNS hijacking attacks over the past three months targeting D-Link, ARGtek, DSLink, Secutech, and TOTOLINK routers. DNS hijacking is an attack that causes router traffic to be redirected and sent to malicious websites."
  • "“All exploit attempts have originated from hosts on the network of Google Cloud Platform,” said Troy Mursch with Bad Packets Report in a Thursday report. “In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.”"
Quotes
  • "A new wave of attacks abuses the Google Cloud Platform URL redirection in PDF decoys, sending users to a malicious link."
  • "Researchers have spotted a trend in targeted themed attacks using the App Engine Google Cloud Platform (GCP) to deliver malware via PDF decoys. "
  • "The threat has so far been detected across 42 organizations, mostly in the financial sector but also within governments worldwide."
  • "This attack is more convincing than traditional attacks because the URL hosting the malware redirects the host URL to Google App Engine, explain Netskope analysts in findings published today. Many decoys used were likely linked to threat actor group Cobalt Strike, they report."
  • ""URL redirection mechanisms/features are widely used and abused by threat actors to deceive victims into believing the malicious files are being delivered from a trusted source," says Ashwin Vamshi, a Netskope security researcher and author of the report. "The usage of themed PDF decoys with enticing emails is a perfect choice since the payload seems to be originating from a trusted source, and popular PDF viewers enable users to easily whitelist domains.""
From Part 04
Quotes
  • "Hackers working on behalf of China’s Ministry of State Security breached the networks of Hewlett Packard Enterprise and IBM, then used their access to hack into their clients’ computers."
  • "The attacks were part of a Chinese campaign known as Cloudhopper, which the United States and Britain on Thursday said infected technology service providers in order to steal secrets from their clients."
  • "Both IBM and HPE declined to comment on the specific claims made by the sources."
  • "Cloudhopper, which has been targeting technology services providers for several years, infiltrated the networks of HPE and IBM multiple times in breaches that lasted for weeks and months, according to another of the sources with knowledge of the matter."
  • "IBM has dealt with some infections by installing new hard drives and fresh operating systems on infected computers, said the person familiar with the effort."
Quotes
  • "State-sponsored Chinese hackers broke into the servers at Palo Alto-based Hewlett Packard Enterprise, IBM and several other large cloud providers and stole customer data, Reuters reports, citing unnamed sources."
  • "Federal prosecutors on Thursday unsealed their indictment of two Chinese citizens accused of participating in the attacks. Prosecutors claim Zhu Hua and Zhang Shilong are members of a state-sponsored hacking group that American cybersecurity companies have dubbed Advanced Persistent Threat 10."
  • "APT10 hackers allegedly sent so-called “spearfishing” emails to specific employees at cloud companies from legitimate-sounding email addresses. The emails each contained malware-laden attachments that quietly compromised the victim’s network, giving hackers access to data stored in the cloud."
  • "IBM investigated an attack on its cloud servers as recently as this summer, a source told Reuters."
  • "“IBM has been aware of the reported attacks and already has taken extensive counter-measures worldwide as part of our continuous efforts to protect the company and our clients against constantly evolving threats,” IBM told Reuters. “We take responsible stewardship of client data very seriously, and have no evidence that sensitive IBM or client data has been compromised by this threat.”"
Quotes
  • "The Journal reports that at least a dozen cloud providers have been hit, including Canada's CGI Group, the Finnish IT services company Tieto Oyj and IBM. Those companies' clients include Rio Tinto, Philips, American Airlines, Deutsche Bank, Allianz and GlaxoSmithKline, the Journal reports."
  • "The attacks often start with spear-phishing emails containing malicious attachments. Even when MSPs have detected Cloud Hopper attacks, it has proven difficult to kick the attackers out. "
  • "The Journal's investigation builds on a scoop by Reuters a year ago. At the time, Reuters reported IBM was a victim along with Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corp. and DXC Technology, which was created when Hewlett Packard Enterprise (HPE), also a victim, merged with CSC (see Cloud Hopper: Major Cloud Services Victims Named)."
Quotes
  • "IBM Cloud Takes Action to Address Latest Security Vulnerabilities | IBM"
  • "We're taking action to secure our cloud against recent security vulnerabilities | IBM"
  • "Protecting instances from the SWEET32 Birthday attack vulnerability"
Quotes
  • "Federal prosecutors on Thursday unsealed their indictment of two Chinese citizens accused of participating in the attacks. Prosecutors claim Zhu Hua and Zhang Shilong are members of a state-sponsored hacking group that American cybersecurity companies have dubbed Advanced Persistent Threat 10."
  • "APT10 hackers allegedly sent so-called “spearfishing” emails to specific employees at cloud companies from legitimate-sounding email addresses. The emails each contained malware-laden attachments that quietly compromised the victim’s network, giving hackers access to data stored in the cloud."
  • "IBM investigated an attack on its cloud servers as recently as this summer, a source told Reuters."
Quotes
  • "IBM has launched Cloud Pak for Security, a new platform for tackling cybersecurity threats across multicloud and hybrid environments. "
  • "On Wednesday, the tech giant said the new system, available today, "is the first platform to leverage new open source technology pioneered by IBM, which can search and translate security data from a variety of sources, bringing together critical security insights.""
Quotes
  • "Potential security vulnerabilities made public on August 14, 2018, have the potential to allow those with malicious intent to gather sensitive data from computing devices and, therefore, must be addressed."
  • "Although there has yet to be a known exploit, IBM Cloud takes all threats seriously and is taking precautionary measures on behalf of our clients."
  • "Next steps: cloud host reboots IBM Cloud will apply patches to VSI cloud hosts worldwide in the coming days to mitigate the risk to our virtual server clients."
  • " We are not able to mitigate this potential vulnerability via hot patching, thus cloud host reboots are the best approach to mitigating the threat to our VSI platform. "
Quotes
  • "Summary: The Baseboard Management Controller (BMC) is a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting. As part of IBM Cloud’s Bare Metal Server offering, clients have access to the BMC."
  • "Vulnerability Details: On some system models offered by IBM Cloud and other cloud providers, a malicious attacker with access to the provisioned system could overwrite the firmware of the BMC. The system could then be returned to the hardware pool, where the compromised BMC firmware could then be used to attack the next user of the system."
  • "Remediation/Fixes: IBM has responded to this vulnerability by forcing all BMCs, including those that are already reporting up-to-date firmware, to be reflashed with factory firmware before they are re-provisioned to other customers. All logs in the BMC firmware are erased and all passwords to the BMC firmware are regenerated."
Quotes
  • "Eclypsium, a firmware and hardware security specialist based in Portland, Oregon, says it managed to successfully implant vulnerabilities remotely into an IBM Cloud server it leased as “bare metal”. It then managed to identify and regain access to the server – now in use by a new cloud client – when it was released back into IBM’s hardware pool."
  • "IBM Cloud Pwnage: “Low Severity” Says IBM. “Critical” Says Eclypsium…. "
  • "After Eclypsium relinquished the use of the server, the BMC was not re-flashed with factory firmware meaning the company could have permanently crippled the server, stolen data on the physical host, or worse."
  • "The attack, likely to cause waves across the cloud industry – given that convincing some sectors the cloud is secure remains an uphill struggle – exploited the Baseboard Management Controller (BMC); a third-party server component used to enable remote management for initial provisioning, OS reinstall and troubleshooting."
  • "“We originally chose SoftLayer [Ed: a bare metal provider bought and rolled into IBM Cloud in 2013] for our testing environment because of its simplified logistics and access to hardware but noticed SoftLayer was using Supermicro server hardware that, based on our previous research, we knew to be vulnerable,” Eclypsium said."
Quotes
  • "The flaw opened a hole in IBM’s serverless Cloud Functions platform, potentially exposing confidential customer data."
  • "Apache and IBM have patched a critical vulnerability that allows attackers to replace a company’s serverless code with their own malicious script."
  • "This is the first publicly-disclosed vulnerability in a serverless platform (tracked as CVE-2018-11756 and CVE-2018-11757)."
  • "PureSec disclosed and notified both Apache and IBM privately. Apache has also released a patch, and other users of Apache OpenWhisk should update to the latest version immediately. "
Quotes
  • "IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise has identified and addressed the session management cookies vulnerability."
  • "Refer to the following reference URLs for remediation and additional vulnerability details:"
  • "Source Bulletin: https://www.ibm.com/support/pages/node/1077123 X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/162259"
Quotes
  • "IBM: "We have no evidence that any sensitive corporate data was compromised…We have worked individually with clients who have expressed concerns.""
  • "The Journal says it remains an "open question whether hackers remain inside companies’ networks today.""
  • "The cloud companies were reportedly hesitant to cooperate with the government investigation into the hack, which led Department of Homeland Security officials to revise federal contracts to require cooperation."