Unprecedented Microsoft Azure Cloud Vulnerability Highlights Need for Improved Cloud Security Controls

Last week’s news about the unprecedented Microsoft Azure Container as a Service (CaaS) vulnerability is a wake-up call for everyone regarding the need to tighten cloud security controls. Palo Alto’s Unit 42 Threat Intelligence Team identified the first known security gap, dubbed Azurescape, that enabled a user to gain administrative privileges over an entire cluster of cloud containers. Yes, you read that correctly. This exploit made it possible for a user to escape their container to access and control other customers’ cloud containers and all the data within.

How did they gain control of the other containers? Palo Alto’s researchers exploited a two-year-old container component vulnerability. Researchers used this security gap to escape Azure’s public cloud environment and gain cluster administrator control of the Kubernetes management system. Palo Alto describes how they exploited this security gap:

“Azurescape is a three-step attack. First, the attacker must break out of their ACI container. Second, they gain administrative privileges over a multitenant Kubernetes cluster. Third, they can take control of impacted containers by executing malicious code.” – Palo Alto 9/9 Blog

Clearly this is a concerning development. However, in good news, it was Palo Alto’s research team that made this discovery, and there are currently no reported attacks in the wild. When Microsoft was notified, they fixed the vulnerability immediately and issued an advisory stating that they did not find any unauthorized access to customer data. This means it is unlikely that you were impacted if you use Microsoft Azure CaaS. However, it’s always good to be careful. Palo Alto also suggests that, “If you have privileged credentials deployed to the platform, we recommend rotating them and checking their access logs for suspicious activity.” If you’d like a deeper technical look on how Unit 42 discovered this vulnerability, read their informative blog post.

Configuration Mistakes are by Far the Biggest Threat

As concerning as this new attack model is, organizations face a far bigger risk from cloud misconfigurations. One recent report found that 90% of organizations may be vulnerable to a cloud breach due to misconfiguration issues. To compound the problem, the same report also indicates that organizations take over 2 months to remediate these configuration problems after discovery. Even Microsoft has battled with cloud misconfigurations in Azure, in addition to the recent container vulnerability.

What Causes Cloud Configuration Mistakes?

According to Fugue’s cloud security report, organizations cited the following reasons as the top causes for their cloud misconfigurations:

• 52% said it was caused by lack of awareness of cloud security and policies
• 49% stated it was due to the lack of adequate controls and oversight
• 43% noted that they had too many APIs and interfaces to adequately govern
• 32% cited negligent insider behavior

Looking at these causes, it’s clear that many of these errors can be prevented with improved cybersecurity oversight, increased cloud security awareness and training, and closer attention to your cloud security controls. This report also offered some interesting insights into what type of cloud misconfigurations they found:

• 44% were related to security group rules or firewall rules
• 40% involved identity and access management
• 36% were related to disabled encryption at rest.

While cloud misconfiguration and newly vulnerable cloud containers are not the only risks (see our top risks blog for other common cloud risks), we are highlighting the risks of cloud misconfigurations because as you can see from the data presented above, many of the these risks can be quickly, easily and inexpensively solved.

What Can Your Organization Do to Keep Your Cloud Environments Safe?

• Have a plan to protect against misconfigurations. Misconfigurations are common mistakes that are easy to make. Here are some tips to protect your organization:
  1. Routinely inventory of your cloud services. Some organizations discover that employees are using cloud services (Dropbox, Huddle, Google Drive, etc.) without the IT team’s knowledge or review. Ensure your IT team does an annual review – you need to know all the cloud providers your organizations is using.
  2. Regularly review your cloud configuration: Cloud settings and security cannot be a “set it and forget it” process – you need to regularly evaluate your cloud security controls. Consider could security assessments and Office 365 configuration assessments to enhance your security.
  3. Implement misconfiguration detection and alerting tools. Take advantage of tools offered by your cloud provider, and consider third-party tools that offer additional security.
  4. Check your cloud security. In addition to your annual pentest, you should also schedule an annual cloud security assessment. You may also want to consider regular proactive cloud threat hunting – this can uncover indicators that your cloud container may not be secure.
  5. Regularly train your IT team. Major cloud providers frequently offer online training classes. Ensure your team stays current on the security features for your cloud storage providers. You should also plan for continuing education through tabletop simulation exercises, cybersecurity, and incident response trainings and more. If you are using AWS, check out our blog on AWS cloud adoption tips.
• Carefully vet your cloud providers. You may have heard the old joke, “There is no such thing as the cloud – only other peoples’ computers.” While this is certainly a simplification, it’s important to regularly assess the security of your cloud provider and ensure they keep their security up to date.
  1. Understand that cloud security is a shared responsibility. Cloud security requires that both your cloud security provider and your organization have adequate cloud security controls and processes to keep your data safe. Many organizations launched Virtual Desktop Infrastructure (VDI), like AWS Workspaces, to accommodate remote work. This requires its own review. Read our blog on VDI security considerations and tips for easy ways to reduce your risk.
• Ensure you have a strategic cloud security plan. From vetting providers to having an incident response plan, read our blog, The 4 Most Common Cloud Storage Security Risks to confirm that you address the most common security issues our consultant find when doing cloud security assessments. Ensure you have a strategic plan that identifies your cloud security maturity and includes annual security growth goals.

We hope you found these tips helpful! If you would like additional advice or support strengthening your organization’s cybersecurity, we’re here to help. Contact us to see how our experienced consultants can support your cybersecurity goals.