In the last few weeks, the Orca Security Research Team found multiple critical zero-day vulnerabilities. We’re announcing two in AWS today: Superglue and BreakingFormation. These vulnerabilities could’ve allowed unauthorized access to customer data and/or sensitive code and data within the public cloud. We followed responsible disclosure practices and worked with AWS to fix each vulnerability.

Wait! Did you just say there were public cloud vulnerabilities that could’ve allowed breaking into my environment? Will there be more in the future?

Yes. Vulnerabilities have existed since the dawn of computing, and unfortunately, they are going to stay with us for the foreseeable future. They exist in literally every piece of software – from our laptops, smartphones, smart-aquarium thermometers, and of course, modern cloud environments. There is no silver bullet that prevents vulnerabilities. 

We all witnessed this a few weeks ago with Log4j. The real-world playbook is simple. Vulnerabilities will be discovered–preferably by the good hackers. Defenders must identify all of their vulnerable assets, patch them, and continuously look for breaches that may have occurred prior to patching. It would be naïve to assume that there are no additional undiscovered vulnerabilities in cloud environments. That’s why we work relentlessly to discover them before the bad actors do. In fact, we will announce more public cloud vulnerability discoveries in the coming months in accordance with responsible disclosure guidelines.

Should I move all of my workloads back on-prem?

No. The Superglue and BreakingFormation vulnerabilities are actually prime examples of why public cloud environments are dramatically more secure than on-prem environments. In both these cases, the vulnerabilities were completely mitigated by the cloud service provider. AWS patched their services within days – before the vulnerabilities were published in the wild. This is in stark contrast to vulnerabilities found in unmanaged software like Log4j – that boiled down to a race between attackers and defenders. That race continues to be a slog. We found that two weeks into the Log4j debacle 75% of our customers still had at least one asset affected by Log4j. With Superglue, AWS had partial mitigation deployed globally within a day, followed by full mitigation a few days later.   

The fact that critical vulnerabilities in cloud environments are resolved so quickly is one of the most compelling reasons to use the cloud. For the overwhelming majority of organizations, it is impractical to implement response actions on par with what the cloud service providers performed.

Is there a chance that attackers utilized these cloud vulnerabilities to steal my data?

We’re not aware of any threat actor that utilized these vulnerabilities, and we used extreme caution to prevent any technical details from leaking.

Did Orca Security researchers access my data using these cloud vulnerabilities?

No. We set up dummy organizations specifically for those purposes.

Having said that, we don’t know if the vulnerabilities were discovered and exploited by threat actors prior to our discovery. As always, good practices apply here: continue blocking holes and monitor your environment for suspicious behavior.

This is all very impressive, but how can this benefit my company?

We help major cloud providers and hundreds of enterprise customers protect their cloud. Can you imagine what we can do for you? 

Well, you don’t have to imagine. 

I invite you to experience our tech and talent first-hand with a no-obligation, free cloud risk assessment. You’ll get complete visibility into your public cloud, a detailed risk report with an executive summary, and time with our cloud security experts.

Epilogue

It is a popular misconception that ostriches stick their heads in the sand when under attack. They don’t. They either fight back or run away from the danger (they are, in fact, the fastest two-legged animal). It makes no sense to bury your head in the sand to avoid danger, and frankly, they would have become extinct if they took this approach.