A Technical Analysis of the Capital One Hack

Forums Security News (Security) A Technical Analysis of the Capital One Hack

Tagged: ,

  • This topic has 1 voice and 0 replies.
Viewing 0 reply threads
  • Author
    Posts
    • November 26, 2019 at 5:48 am #36954
      Telegram SmartBoT
      Moderator
      • Topic 5959
      • Replies 0
      • posts 5959
        @tgsmartbot

        #News(Security) [ via IoTGroup ]

        Headings…
        A Technical Analysis of the Capital One Hack
        This Keeps Happening
        Gaining a Foothold
        The AWS Metadata Service
        Elevating Access
        Putting It All Together
        What Went Wrong?
        What Went Right?
        Protecting Yourself
        Conclusion

        Auto extracted Text……

        One particularly important function of the AWSEC2/latest/UserGuide/ec2-instance-metadata.html” rel=”noopener” target=”_blank”>metadata service is to provide temporary credentials that give the node access to other AWS services based on a permission policy defined in the instance’s IAM role.
        IAM roles are an alternative to long-lived user access keys and secrets; rather than hard-coding an access key into an application’s configuration, the application simply requests credentials from the metadata endpoint periodically.
        By combining the SSRF attack from earlier with the knowledge that an AWS EC2 server has access to a metadata endpoint containing temporary credentials, the attacker was able to trick the server into making a request to the following URL:
        This endpoint returned a role name, which the indictment lists as “*****-WAF-Role,” implying that the accessed server was likely a web application firewall on Capital One’s network.
        Because the IAM role did not have additional conditions attached to it that prevented it from being used outside of the Capital One network, anyone on the planet could use those credentials to sign their own API requests to the AWS API as if they were the EC2 instance inside the network.
        According to the indictment, once the attacker gained access to these credentials, she ran the AWS S3 “ListBuckets” command.
        Once the attacker had gained access to the instance’s IAM credentials, she then took advantage of a considerable misconfiguration — the fact that this instance had excessive permission to list and access data in a large number of S3 bucket locations.
        While it may be easy to blame Capital One’s developers for the loss of data, the truth is that IAM role misconfigurations are likely present in nearly every single AWS account.
        Additionally, whereas a number of previous incidents resulted from S3 bucket permissions that enabled direct public access, that does not appear to be the case here; the attacker was able to gain internal access via an externally-facing vulnerability

        Read More..
        AutoTextExtraction by Working BoT using SmartNews 1.0299999999 Build 26 Aug 2019

    • Author
      Posts
    Viewing 0 reply threads
    • You must be logged in to reply to this topic.