Optus, the Australian telecommunications company, is facing a $1 million ransom from a cybercriminal claiming access to over 11 million records from Optus customers. The customer information includes names, birthdates, addresses, passports, and more.
So far, the data breach appears to be sophisticated and legitimate. The criminal user shared sample data to back up their claims. Jeremy Kirk, cyber security researcher and writer from ISMG Corp, vetted the claims and spoke in detail with the cybercriminal for an explanation of how they executed the hack– here is what we know.
“Optus if you are reading! price for us to not sale data is 1.000.000$US We give you 1 week to decide,” the criminal under the name ‘Optusdata’ posted on a well-known data leak forum.
Kelly Bayer Rosmarin, Optus CEO, confirmed the threats by making a statement apologizing for the security incident and confirmed 9.8 million Australians were affected.
So how’d this happen? Reportedly, it all comes down to human error – and one we see often. An employee intended to open Optus’ customer identity database via an API, yet required no authentication and it was left accessible via a test network. This can be summed up as a major misconfiguration. And while the results are widespread and harmful, the incident was avoidable.
The alleged hacker confirmed this theory telling Jeremy Kirk, “no authentication needed. That is bad access control. All open to the internet for anyone to use.”
A simple misconfiguration, like an open API, may be what leads an opportunistic attacker right into your cloud environment. But what can they do from there? They can laterally move throughout your account and permission chain their way to your valuable data.
Identities are the new perimeter of the cloud, and they hold the 37,000 unique permissions and actions across all three major cloud providers. With the right identity (read: permissions) attackers can move laterally through your environment to execute their overall mission.
The story we often see picks up right after your ‘perimeter’ is breached. When someone is in your environment, your organization may have no idea. They could be lurking around for days, weeks, or months, doing recon and searching for their first pot of gold – the perfect identity – or two.
Lurking is easy because of the ephemeral and complex nature of the cloud. This complexity leads to security blind spots. A lot of pathways between identity and data and a lot of privilege makes your visibility ‘cloudy’, meaning covert or indirect. In AWS, a ‘trust relationship’ or in Azure, a ‘nested group’ might be offering an identity the ability far past what your organization intended for it to have. We’ll illustrate this sort of permission chain below:
These indirect privileges are gold to an attacker because they are often unbeknownst to the organization, and when you have excessive permissions, your identities quickly become easy to navigate giving excessive access to your environment. Attackers aim to move laterally undetected.
Even if an attacker’s activities are detected, the attacker can maintain their presence within the environment by creating new roles, connecting outside the environment, and the list goes on. Imagine a group of burglars who enter a house through an open window. Then each goes to a different room in the house. Even if a single burglar is discovered in one room, the others can continue stealing items in the others. Similarly, lateral movement enables an attacker to enter the various “rooms” of an environment.
What does an Identity Attack Path Look Like?
Wise attackers might scour a list of predictable role names with reconnaissance and enumeration procedures. Cloud roles may occur in variations (e.g., prodApp-nat, prodApp-app2-nat) of previously breached information. Malicious parties may attempt role name permutations until they arrive at a match.
Upon successfully obtaining a misconfigured role, unauthorized users can enumerate permissions and hone in on their targeted resources. Subsequently, malicious users may acquire precious metadata within the cloud and decrypt the metadata with the capabilities of their misconfigured role. A compromised database enables outsiders to launch a series of attacks on the enterprise by implanting insidious backdoor codes for convenient and frequent access while staying undetected.
Attackers can chain together permissions creating an identity chain attack path. For example, if you have the same owner on several objects in several databases, and you have some stored procedure that accesses these objects, you don’t need to grant access permission to every object that the procedure needs to access. If the procedure and the objects have the same owner, you can grant permission for the procedure, and the database will allow the procedure to access all other objects that share the same owner.
In many cases, the first point of penetration will not grant attackers the level of access or data they need. They will attempt privilege escalation to gain more permissions or obtain access to additional, more sensitive resources.
The Optus Case
In this case, we assume the attack path and lateral movement starts with an initial entry point into the network using an open API. Once the attacker has a foothold on an identity inside the environment, they perform reconnaissance. This means they begin to find out as much as they can about the network, including what the compromised identity has access to and what privileges the identity has.
It is claimed programmers were attempting to open up Optus’ customer identity database to other systems via an application programming interface. While it is believed the process would only grant access to authorized company systems, outsiders may have been granted access via a test network open to the internet.
If a database is open to the internet, this breach really could be from a simple query. It is believed the attackers enumerated the customer records via the ‘contactid’ – a field that appears in the leaked data samples. It’s unclear how Optus used the ‘contactid’. By enumerating, the hacker means they sequentially accessed and downloaded the customer records using the API.
The next step for the attacker to begin moving laterally is a process called “privilege escalation.” Privilege escalation is when an identity (whether legitimate or illegitimate) gains more privileges than they should have within an organization. Attackers purposefully exploit flaws in environments to escalate their privileges on a network. Attackers start with one set of credentials and the privileges associated with that identity. They aim to maximize what they can do with that account, then spread to other identities to take over other accounts as they go. The attacker usually needs admin-level privileges to get the kind of access needed to cause maximum damage or reach their target. Once these credentials are obtained, this essentially gives them control over the entire network.
Because Optus is collaborating with the AFP, specific details of the case cannot be disclosed to the public just yet, including how exactly the breach occurred.
What Could Have Helped Optus?
While we’ve definitely harped on how critical identity and access management is in mitigating breach impact and reducing paths to your data, this case truly started with a misconfiguration. A misconfiguration is just the tip of the iceberg, but it is a ‘way in’.
Solutions exist today aimed at preventing this exact incident – specifically, a mature Cloud Security Posturement Management (CSPM) solution. Cloud Service Providers do a fantastic job at providing a secure platform for your business to thrive off of, but is it your responsibility to secure your environment. CSPM solutions work by constantly comparing your environment to a baseline of appropriate configurations and behavior, looking for deviation. The moment a deviation is detected, such as an API open to anyone on the internet, the tool would flag the issue.
A few things to note: a lot of vendors today provide CSPM solutions including this monitoring and detection, but next-generation tools take things a step further with intelligent workflows and advanced remediation capabilities. In short, a strong solution can allow you to organize your workflow to look like your business so alerts can be automatically routed to the team responsible for them. A business-context backed CSPM solution will inform teams what alerts are a sensitive priority and what can’t wait to be addressed. Additionally, a nice plus is to have automated remediation through either pre-set bots or customized ones.
CSPM addresses an overall security hygiene check on all the configurations and controls you’re responsible for in your cloud, but as we previously mentioned, tackling identity and access is the next layer of that iceberg. Cloud Infrastructure Entitlements Management (CIEM) is a market-leading solution for managing and securing identity in the cloud.
With the right solution, you will have a full-picture of all the identities in your cloud, person or non-person (compute, serverless functions, roles, etc.) and every single action or access they hold. This is the key to addressing the lateral movement risk. Revealing every connection between identity and data is the only way to then strip unnecessary permissions. As we know, an identity’s effective permission (or true ability) is not always clear to the human eye, which is where leveraging a tool that can find every permission, and interpret what it means, is critical to achieving a best-practice policy like Least Privilege. From there, a CIEM solution will continuously monitor your environment to catch new out-of-policy identity configurations or any suspicious activity.
No one in the security, tech, or IT industry is in the business of shaming or pointing fingers when it comes to data breaches, and especially an incident involving ransom. However, it is important to recognize where we are accountable, especially when working in the cloud. Platform security (misconfiguration management) and identity security are two major pillars of a strong cloud security program. There are cloud-native solutions available that integrate the capabilities of CSPM and CIEM together, working off of shared context and insights to better protect your environment. Being prepared and well-equipped with the right tools is the only thing that can stop a cloud misconfiguration.
A criminal investigation by the Australian Federal Police is currently underway investigating the origins of the Optus cyberattack and the methods used by the telco hackers. The breach has been described as “sophisticated”, employing multiple European IP addresses that kept changing during the hack. Rumored culprits include cyber criminals or state-sponsored hackers.
Our thoughts are with Optus’ Blue team while they work through this impactful breach.