What We Can Learn From the Capital One Hack

The Capital One hack has been viewed by many as a zero-day insider attack but the investigation has revealed information that showed the methodology used by the attacker is something that is very well known about, Server Side Request Forgery (SSRF). Due to a misconfigured Web Application Firewall (WAF) that Capital One used for its hosted services with Amazon Web Services (AWS); the attacker was able to trick the firewall and cause it to relay data that included credentials. The credentials that can be sent by the firewall are limited by their permissions. In the case of Capital One, the permissions were enough to allow the attacker to read the contents of files that should not have been accessed. Evan Johnson, manager of the product team at Cloudfare wrote, "SSRF has become the most serious vulnerability facing organizations that use public clouds." He also stated that "The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it. The problem is common and well-known, but hard to prevent and does not have any mitigations built into the AWS platform."

Relevant URL(s): https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/