The Rise of Misconfiguration and Supply Chain Vulnerabilities
Singapore-based telecom firm, Singtel, revealed last week it had suffered a security breach as a result of relying on an unpatched legacy file sharing product. The breach has compromised not only the information of some important enterprise customers, but also Singtel’s suppliers and partners. The vulnerability of supply chains has been top of mind since the SolarWinds attack, which still dominates headlines, but this Singtel breach also reflects the rise of breaches triggered by misconfiguration vulnerabilities.
Organizations are only as secure as their least secure supplier. Cybercriminals do not care if you are in the process of decommissioning legacy systems. If your systems are available 24/7, you need continuous security to match. HackerOne customers paid out over $150,000 in bounties in the past few weeks alone for misconfiguration or supplier vulnerabilities - demonstrating the volume and value of these bugs to our customer set. These potential attacks have instead been thwarted by hackers continuously testing authentication or authorization that could be left vulnerable.
Remote file sharing is currently of utmost business criticality for distributed workforces, and relying on legacy and outdated systems is only going to lead to a greater chance of a breach, especially if the manufacturer stops issuing patches - it’s a common way into your network.
Data leaks like this are on the rise, with cloud services no more secure than legacy ones. In the past year we’ve seen S3 bucket misconfigurations responsible for breaches in software providers, hospitality, dating apps, and financial services organizations. Legacy systems typically suffer from unpatched software, weak credentials, or misconfigurations where inherited files are unintentionally exposed to unauthorized actors.
According to Gartner, 95% of misconfigurations are caused by the organization itself - they are most often deployed during large migration projects as organizations move to cloud platforms, including Amazon AWS, Microsoft Azure, and Google Cloud Platform -- to accommodate for distributed workforces, for example. These Lift ‘n’ Shift projects are exposing large datasets by accident, due to insufficient authentication or authorization checks. In the past 12 months, there has been an incredible 310% increase in hackers reporting valid reports for misconfiguration vulnerabilities to the HackerOne platform. These vulnerabilities can then be exploited when malicious actors, who are continuously scanning the internet for misconfigured services, pick up on a signal that indicates a potential weakness in an organization. The criminals then use their tools to try to download the exposed data.
The problem is that, due to the unwieldy growth of these systems, many system administrators fail to know what their attack surface looks like and weaknesses are therefore missed: you can’t fix what you can’t see. Use attack surface management tools to understand where to look for changes and patches in the first place, and harness hackers to provide unparalleled vulnerability insights to gain control over those rapidly expanding attack surfaces.
No organization is immune from vulnerabilities, but knowing what you’re up against will go a long way to avoiding an embarrassing breach or unexpected attack. A good place to start understanding the vulnerabilities that are most likely to come up is HackerOne’s Top 10 vulnerabilities.