CloudPassage®, the leading cloud infrastructure security company, today released a report detailing the outcome of The Gauntlet, a recent capture-the-flag-style live server exploitation exercise aimed at understanding how vulnerable cloud environments are to motivated hackers. According to the report, the winning hacker was able to fully compromise an unpatched, minimally configured cloud server instance in under four hours.
“Despite the best efforts of the security community and the cloud providers themselves, there is a common misperception that cloud infrastructure does not need additional security. The Gauntlet project shows just how easily a motivated attacker can compromise cloud infrastructure that’s not configured for survivability,” said Carson Sweet, CEO of CloudPassage. “Cloud computing requires renewed security diligence, preferably achieved through built-in security automation. Application development teams and security administrators should not need to worry about minuta that create major security exposures, but are easily eliminated through automation.”
Facilitated by Bugcrowd, an independent third-party bug bounty provider, The Gauntlet drew 367 ethical hacking participants from 41 different countries over the course of 23 days beginning September 11, 2013. The participants were asked to target a pool of six servers provisioned with various Microsoft and Linux-based operating systems running a variety of databases, FTP servers and application frameworks. The servers were launched in their default configurations and no additional security controls were applied, a common practice in cloud infrastructure environments.
Over 100 security issues were reported, 90 of which were successfully validated as true remote exposures. The winning hacker, who works for an IT company and is currently studying computer science at a California university, considers information security and bug bounties a side hobby. The winner established a foothold using a weakly protected administrative web interface, which contained application vulnerabilities and excessive rights that were further exploited to gain complete access to and control over the system.
“What I did could be boiled down to a single batch script,” said The Gauntlet winner. “Once access is gained to an administrator account on an application interface, it would take only a minute or two to gain full access to a similarly configured system. I hope this has shown the potential damage an attacker can cause.”