Cayman Islands Bank Records Exposed in Open Azure Blob

A Cayman Island investment firm has removed years of backups, which up until recently were easily available online thanks to a misconfigured Microsoft Azure blob. The blob’s single URL led to vast stores of files including personal banking information, passport data and even online banking PINs — which in addition to a security problem, presents a potential public-relations nightmare for a firm in the business of discreet, anonymous offshore financial transactions.

The massive cybersecurity blunder was pointed out by a researcher to The Register, which agreed not to disclose the name of the compromised bank in return for details about how this happened. Once evidence was given to the bank of the exposed data, the information was passed onto a bank staffer with a college computer science background, the report added. There was no one else on staff specifically dedicated to cybersecurity.

The Register added that the firm’s staff were “completely unaware” how the Azure blob worked (the Azure blob is the Microsoft backup storage solution that competes with Amazon Web Services S3 bucket and other cloud storage solutions). The entire operation was completely dependent on an outside provider for cybersecurity.

The Register said the firm claims it manages $500 million in investments.

“This was a backup solution provided by our IT vendor in Hong Kong which we saw as a fairly normal cloud provision,” the bank employee said in response to The Register. “Clearly there’s some issue here!”

The data has since been removed from view by the IT vendor.

Cybersecurity and legal expert Ilia Kolochenko, who founded and serves as the CEO of ImmuniWeb, said the investment firm should expect fallout from the breach.

“For this specific case, most jurisdictions will likely consider this incident to be gross negligence, exposing the fund to a series of lawsuits from the clients,” Kolochenko told Threatpost. “In the past, similar incidents led to bankruptcies due to irreparable impact on the reputation and inability to continue operations with frustrated customers. We should also expect various law enforcement agencies, in charge of the prosecution of tax evasion or money laundering, to start a probe of the documents for investigative purposes.”

Cloud Misconfiguration Breaches

Regardless of the flavor or brand of cloud storage, misconfigurations have plagued all sorts of businesses in recent months.

Hotel reservation platform Cloud Hospitality, which is used by hotels to integrate their systems with online booking systems, recently exposed the data of about 10 million people as the result of a misconfigured Amazon Web Services S3 bucket.

Subscription Christian app Pray.com, which has been downloaded by more than a million people on Google Play, also exposed the personal data of its tens of millions of customers, including payment information submitted by subscribers for donations.  Here too, the culprit was a misconfigured AWS S3 bucket.

“Through further investigation, we learned that Pray.com had protected some files, setting them as private on the buckets to limit access,” vpnMentor’s report on the breach said. “However, at the same time, Pray.com had integrated its S3 buckets with another AWS service, the AWS CloudFront content delivery network (CDN). Cloudfront allows app developers to cache content on proxy servers hosted by AWS around the world – and closer to an app’s users – rather than load those files from the app’s servers. As a result, any files on the S3 buckets could be indirectly viewed and accessed through the CDN, regardless of their individual security settings.”

Google Cloud users have experienced similar cloud configuration challenges. Last September, a Comparitech survey of 2,064 Google Cloud Buckets found 6 percent of Google Cloud buckets are misconfigured and open to public view.

Time to Ramp-Up In-House Expertise

This widespread cloud vulnerability landscape is growing ever wider since businesses have had to quickly shift to a remote work setup in the wake of the pandemic. And malicious actors have taken notice.

According to report from Accuris last spring, 93 percent of cloud deployments analyzed were misconfigured and one in two had unprotected credentials stored in container configuration files.

“The only way to reduce such exposures is to detect and resolve policy violations earlier in the development lifecycle and ensure that cloud native infrastructure is provisioned securely to being with,” the report recommended. “As organizations embrace infrastructure-as-code (IaC) to define and manage cloud native infrastructure, it becomes possible to codify policy checks (policy-as-code) into development pipelines.”

Securing the cloud, and the sensitive data stored in it, needs to become a top priority at all levels of organizations both for protecting the business reputation, as well as the bottom line, researchers warned.

“Countless organizations of all sizes blindly move their data to the cloud without proper training of their IT personnel,” Kolochenko added. “Eventually, this leads even to larger disasters than criminal data breaches. Worse, cybercriminals are well aware of the myriad of misconfigured cloud instances, and continuously monitor the entire internet for such low-hanging fruit. Such attacks, unless exposed by the media or security researchers, are virtually undetectable and thus extremely dangerous: the integrity of your trade secrets and most sensitive data may suddenly get into the hands of your competitors, malicious nation-state actors and organized crime.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.