VPNOverview’s security team in April discovered an improperly stored virtual machine (VM) image that belongs to Moss Adams, one of the largest public accounting firms in the U.S.
Access to the image, which was stored in a publicly accessible Amazon Web Services S3 bucket, did not require a password. We disclosed the breach on April 15, and Moss Adams secured their cloud network shortly afterward.
Our team could enter Moss Adams’ corporate cloud using an RSA key from the VM’s filesystem. The key allowed us to log in to a workstation and access sensitive information. No customer data was exposed during the course of this investigation.
Entering Moss Adams’ Corporate Cloud
VPNOverview’s security team downloaded the VM image and mounted the filesystem, bypassing the passwords associated with the machine. From there, we were able to explore the filesystem of the VM image.
On the filesystem, we discovered an RSA key and a Linux service file containing a connection string. Our team used that information to connect to a cloud workstation using Secure Shell (SSH). We discovered the workstation was used by Moss Adams’ cybersecurity team.
A close examination of the filesystem revealed sensitive information, but no data belonging to Moss Adams’ customers.
“The risk of leaving VM images laying around on the cloud is that they may have sensitive information. In this case, that’s exactly what we found,” Aaron Phillips, the cybersecurity professional who led the VPNOverview investigation into this breach, said.
Nessus Report and Cracked Passwords
After gaining entry to Moss Adams’ cloud workstation, we found that we also had root access to the machine. As a result, we were able to explore the filesystem without restrictions.
We discovered a Nessus report that detailed internal systems. It contained information about hardware and operating systems.
When asked for comment, Moss Adams clarified that the report was generated on a different workstation, saying “That VM was also used to parse Nessus results so the output identified was on there waiting to be parsed and had nothing to do with any Moss Adams corporate environment. The results may have been from a VA scan of a lab environment or from an internal pen test, but certainly not from any MA networks or systems.”
We also found the results of a cracking session that appeared to expose some internal passwords, along with HTTP request headers that appeared to show valid authentication keys. This data was located in the clipboard cache.
Moss Adams also clarified, “This AWS instance was completely isolated from the Moss Adams corporate IT environment, systems, and related client data. The fact is that we do not currently use AWS to host any of our corporate systems or client data. This AWS instance was used solely for purposes of performing external penetration testing and hosting the related tools that we do not want housed or comingled within our corporate production environment.“
Timeline
Here’s a timeline of our discovery, and Moss Adams’ subsequent work to fix the breach.
| Event | Date |
|---|---|
| Discovered the VM image | April 14th, 2022 |
| Gained access to Moss Adams’ cloud workstation and networks | April 15th, 2022 |
| Reported the breach to Moss Adams | April 15th, 2022 |
| Moss Adams closed the breach | April 20th, 2022 |
Moss Adams fixed the breach shortly after we reported it. They responded to our disclosure email quickly and closed the breach in less than a week. As a result, their cloud is now secure, and we can confirm that our access to the workstation has been revoked.
What Moss Adams Can Teach Us About Cloud Security
“If this can happen to a major accounting firm with their own cybersecurity team, it can happen to anyone. But ultimately, this breach happened because a few fundamental best practices were overlooked,” Phillips said.
We could access Moss Adams’ workstation because an RSA key was stored in a VM image. Since these keys are sensitive, it’s important that companies store them securely.
It would have been impossible to access the cloud workstation if Moss Adams had not accidentally shared the connection string to the machine in a service file. We believe the service was a custom solution that enabled the VM to “phone home” and report when the machine comes online. Amazon has turnkey solutions that could have fulfilled the same role without the associated security risk.
“In this case, a series of small mistakes and misconfigurations gave us workstation access to one of America’s biggest accounting firms. The ironic thing is, Moss Adams is more prepared to face a cyberattack than most businesses, but it only takes one error to open up unexpected avenues of attack. A compromised pentesting (penetration testing) instance is an ideal place to launch further attacks. I’m relieved none of Moss Adams’ customers were exposed,” Phillips said.
It is not advisable for companies to store sensitive files in a public bucket. During our investigations, we’ve found leaky buckets containing sensitive Personally Identifiable Information (PII). Since December 2021, we’ve reported on leaky bucket breaches involving several renowned companies, including SEGA, Switch, Sephora, Clubster, and most recently Survival Servers. In each case, the companies worked to patch the security gaps soon after we notified them.
Updated June 21st, 2022. Added quotes from Moss Adams. Changed some instances of “private cloud” to “corporate cloud.”
