Cathay Pacific: Get Off of My Cloud
Just today, government authorities in Hong Kong launched a formal investigation into the breach to understand if privacy laws were violated. While privacy laws are extremely important, the investigation should also focus on HOW this happened. While post-mortems for any breach is useful, I think this attack highlights a new category of cloud attacks we haven’t seen much before—but will with increasing frequency.
First, a little about Cathay Pacific and their cloud deployment. Like many, they’ve adopted a multicloud strategy:
“In the past three years, Cathay Pacific has been making a shift away from legacy systems to the cloud,” says Aloysius Cheang, executive vice president for Asia Pacific at the Center for Strategic Cyberspace + Security Science, a U.K. think tank for cyber centric leadership. “It now employs a hybrid cloud as part of its strategy to replace their legacy systems,” he says.
The airline is using software from Redhat to build the underlying open platform infrastructure, and it is using Amazon Web Services to hold customer-facing applications, such as online check-in system, flight schedule, fares and web hosting, as was described during AWS Summit Hong Kong in 2017, Cheang points out. “As a result of these front-end apps, I presume that the customer data will be accessible from these apps which are hosted on AWS,” he says.
Last April, we wrote about the new attack surface that comes with cloud migration. One of the attacks, X-Cloud, seems to have been the attack method deployed against Cathay Pacific. By all measures, it was pretty successful as hackers took, according the headlines, 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).
What is a X-Cloud attack? From our April blog:
Many enterprises are under the impression that they can go easy on security if they don’t host ‘critical workload’ or ‘sensitive data’ resources in the cloud, but they couldn’t be more wrong. Attackers commonly use public clouds to gain entry into on-premise data centers.
Once your organization makes the decision to migrate any workloads into the public cloud, the perimeter of your on-premise data center also extends into that public cloud environment.
So the appropriate defenses are needed but, the security controls used to protect your on-premise data center cannot easily extend into your public cloud environment.
This forces many organizations to adopt a fragmented security posture that is complex to maintain and leaves the door open for attackers. Public cloud workloads can become infected with malware. As the malware replicates and spreads, the attack can easily jump from the public to the private cloud using standard protocols—if there are no lateral defenses in place.
Cathay Pacific style attack patterns
Cathay Pacific moved application front-ends to the public cloud—extending their perimeter into the great beyond. Many companies discover quickly that you can’t easily keep your old security tools in front of those migrated workloads as it would require them to migrate into the public clouds as well. Congratulations, you have a new attack surface.
In the past, the infrastructure was all on premise and shielded by comprehensive security controls. With the onset of cloud computing, now if the web tier is extended—how do you protect assets in this contorted, new architecture?
Attackers understand this very well. One typical trick is to breach the web server in AWS and drop a backdoor accessible from the outside. Then they tell the backdoor to copy all the data from the database, which needs to be accessible to fulfill the web application’s purpose. However, data is typically served in parts dependent on the authenticated user. With that backdoor, the authentication is bypassed, and the web server has access to the whole data set.
What is really important to note here is that even micro segmentation alone (!) wouldn’t protect against such an attack — the web server needs access to the data that it serves.
So Willkommen (I’m Austrian) to the new realities of cloud security. In this new era, we have to break old habits and old ways of thinking rooted in yesterday’s security approach and we have to admit to ourselves that the chokepoint approach won’t work anymore. For the CISO in today’s IT world, the security game has, in many ways, become a whole new model to work with. In years past, the name of game was “containment – with chokepoints”. It was a tightly controlled world – and CISO’s had the ability to lock it down and only allow dataflows through a select set of avenues.
What is the right way? Let’s start with some inspiration from Mick: https://www.youtube.com/watch?v=z8HHqUwKdP8