Edwin Kwan: Security researchers have discovered a design flaw in Google Cloud Build, which can allow for supply chain attacks.

Chris Hughes: This week, we have an update around the discussion of the Cloud Shared Responsibility Model. The past week and a half, we’ve seen a compromise with the Microsoft Azure Cloud environment, and we’ve seen an incident disclosed by Microsoft and CISA that has attributed to a Chinese threat actor named Storm-0558.

Trac Bannon: On July 12th, Redmond revealed that Chinese hackers had breached Exchange Online and Azure Active Directory by exploiting a zero-day validation flaw. Government agencies in the US and Western Europe were affected, including the US Department of State and the Commerce Department.

Marcel Brown: July 23rd, 1903. Ford sells its first Model A car to Ernest Pfennig of Chicago, Illinois. This was Henry Ford’s third attempt at creating a company that manufactured cars.

From Sourced Network Productions in Washington DC, It’s 5:05. I’m Hillary Coover. Today is Thursday, July 20th, 2023. Here’s the full story behind today’s cybersecurity and open source headlines.

 

Edwin Kwan: Google Cloud Build Vulnerable to Supply Chain Attacks

This is Edwin Kwan from Sydney Australia.

Security researchers have discovered a design flaw in Google Cloud Build, which can allow for supply chain attacks. Google Cloud Build is Google Cloud’s managed continuous integration and delivery service. This CI/CD service allows users to automate the process of building testing, and deploying of software.

Cloud Build also integrates with other services in Google Cloud’s ecosystem, such as Artifact Registry, Google Kubernetes Engine, and App Engine. The flaw allows attackers to perform privileged escalation by impersonating the default Cloud Build service account. This gives attackers unauthorized access to code repositories in Google’s Artifact Registry, allowing them to inject malicious code.

Google’s security team had been notified of the findings and implemented a partial fix. It is recommended that organizations pay close attention to the behavior of the default Google Cloud Build service account, and apply the principle of least privilege to mitigate the privilege escalation risk.

Resources
– https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability/
– https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-chain-attacks/

 

Chris Hughes: Cloud Shared Responsibility Model: Time for an (R)Evolution?

Chris Hughes here from Virginia Beach, Virginia.

This week, we have an update around the discussion of the Cloud Shared Responsibility Model. The past week and a half, we’ve seen a compromise with the Microsoft Azure Cloud environment, and we’ve seen an incident disclosed by Microsoft and CISA that has attributed to a Chinese threat actor named Storm-0558.

We’ve had a security research organization named Wiz, come out showing that the incident may have been much bigger than initially anticipated, impacting potentially millions of applications and millions of users.

For those who’ve worked with cloud security for some time, you’ve definitely been familiar with the Cloud Share Responsibility Model. Now, this typically is laid out across the three different kind of service models of Infrastructure as a Service, Platform as a Service, and Software as a Service with increasingly amounts of responsibility being attributed to the cloud service provider as you go on from Infrastructure as a Service up through SaaS.

That said, there’s been more and more folks in the industry calling for an update to this traditional shared responsibility model, in particular cloud service provider, Google, who have come out with the concept of Shared Fate.

They’ve laid out some common problems, which is that customers simply lack a practical understanding of where their responsibility begins and ends. This means they often don’t have a good understanding of the Shared Responsibility Matrix or Customer Responsibility Matrix between the consumer and the provider.

There’s also a presumption of CSP responsibility from the consumer. They make the assumption that the CSP is doing things that they simply aren’t doing in many cases. And then also situations where CSPs have been limiting what actions cloud customers can take, despite the customer being responsible for some things.

We’ve seen longstanding issues, where default configurations as we’ve seen the push from CISA and others now calling for Secure by Default, Secure by Design from software suppliers and technology suppliers and providers. For example, AWS S3 default configuration was public for these buckets, and we saw millions of records exposed.

Many organizations run to the security incident misconfiguration, as we typically have called it, but it’s been a default configuration that was insecure and put customers in a compromised situation.

Google has been pushing this Shared Fate approach, and then we’ve seen other organizations, such as the Atlantic Council, calling for this shift.

It’s also emphasized in things like National Cybersecurity Strategy that was put out by the Office of the National Cyber Director. They’re starting to point out that, when we look across our ecosystem, our society, everything from our personal leisure activities, to our critical infrastructure, national security systems, that there’s a lot of systemic risk when it comes to our dependence upon cloud and cloud could have a cascading impact across the ecosystem. If there’s a compromise in one cloud service provider or one cloud service, it can impact other organizations downstream, being a core part of the software supply chain.

Many organizations are now starting to call for suppliers, cloud service providers in this case, to take more responsibility and revisit that traditional Shared Responsibility Model and shift some of that burden in the hands of the major cloud service providers.

That said, stay resilient out there.

Resources
– https://resilientcyber.substack.com/p/cloud-shared-responsibility-model

 

Trac Bannon: Microsoft Breach May Expose Deeper Problems

On July 12th, Redmond revealed that Chinese hackers had breached Exchange Online and Azure Active Directory by exploiting a zero-day validation flaw. The breach started in May and was not identified until mid-June. Government agencies in the US and Western Europe were affected, including the US Department of State and the Commerce Department. US cabinet-level emails were hacked in the breach.

Hello, this is Trac Bannon reporting from Camp Hill. Pennsylvania.

In early May, the State Department had some potential warning signs that widespread irregularities were happening with email. Microsoft began its investigation on June 16th.

The hacking group called Storm-0558 gained access to email data from approximately 25 organizations by using the GetAccessTokenForResourceAPI. They were able to forge signed access tokens to access and impersonate targeted accounts. After detection, Microsoft remediated the issue by blocking tokens that had been issued with the stolen key, then replacing the stolen key with new.

A new investigation by cloud security firm Wiz claims the stolen key could have been used more broadly to hack other Microsoft Cloud services, including OneDrive, Teams, and SharePoint. Wiz CTO, Ami Luttwak, stated, “all of Microsoft, all of Microsoft Office 365, all of Azure relies on authentication tokens. This is the fabric of the cloud.” Microsoft suggests the Wiz report is speculative.

Currently, the US Department of Defense is heavily reliant on Microsoft to the extent that even DOD CIO, John Sherman, has voiced his concerns over possible anti-competitive effects. In fact, since 2017, the DOD has exclusively used Microsoft Windows for all of the 4 million plus computers and is rapidly expanding its use of Azure services. An observer like me might ask whether Microsoft has a monopoly. Microsoft has declined to comment on concerns over its DOD role.

Having a diverse and complimentary toolset is core to meeting our collective cybersecurity needs. That requires diversification of vendors and commercial organizations. Even for the defense industrial base.

There is a silver lining. Microsoft has expanded free cloud logging for all end users. Previously, only premium paid subscribers had the capabilities. It should not take a Chinese breach of the DOD for commercial capability providers to give access to holistic operational telemetry and logging.

For detailed resources supporting this report, head over to 505updates.com.

Something to noodle on.

Resources
– https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/stolen-azure-ad-key-offered-widespread-access-to-microsoft-cloud-services/amp/
– https://www.wired.com/story/china-breach-microsoft-cloud-email-may-expose-deeper-problems/
– https://abcnews.go.com/Politics/commerce-secretary-gina-raimondos-emails-hacked-microsoft-cyber/story?id=101201179
– https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
– https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

 

Marcel Brown: This Day, July 24, in Tech History

This is Marcel Brown, bringing you some technology history for July 23rd and 24th.

July 23rd, 1903. Ford sells its first Model A car to Ernest Pfennig of Chicago, Illinois. This was Henry Ford’s third attempt at creating a company that manufactured cars. Incorporating just over a month earlier. The initial $28,000 investment was down to $300 before this first Model A was sold. However, it was the Model T that solidified Ford’s standing in automotive history.

July 23rd, 1985. Commodore introduces its Amiga personal computer, also known as the Amiga 1000 or A1000. Featuring a multitasking windowed operating system, colored graphics and stereo sound among other features ahead of its time, the Amiga developed a loyal user following that remained strong even as the PC market became increasingly consolidated between the dominant IBM compatible PCs and Apple’s Macintosh computers.

In 1994, Byte Magazine would write, “the Amiga was so far ahead of its time that almost nobody, including Commodore’s Marketing Department, could fully articulate what it was all about.

“Today, it’s obvious the Amiga was the first multimedia computer, but in those days it was derided as a game machine because few people grasped the importance of advanced graphics, sound and video.”

July 24th, 1950. The first successful rocket launch occurs at Cape Canaveral. The rocket, Bumper 8, was a captured German v2 modified with a US Army Corporal second stage.

Cape Canaveral’s location in the Southeast is an ideal site for rocket launches in the United States. By launching eastward, rockets are able to take advantage of the linear velocity of the earth rotation. This velocity is greatest towards the equator, making the southern United States preferable, and by launching towards the ocean, away from populated areas. Safety down range from the launch is maximized in case of problems.

That’s your technology history for today. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.

Resources
– http://thisdayintechhistory.com/07/24

 

Hillary Coover

That’s our update for today, July 24th, 2023. I’m Hillary Coover. We’ll be back tomorrow at 5:05.