(UPDATE 3/8/1018) After consultation with Capital One’s legal team and technical teams, UpGuard was informed that Capital One’s system security was not impacted by this matter, and UpGuard has therefore updated its post.
Birst has provided the following statement:
“A Birst employee placed a copy of certain non-production components of the Birst software in a publicly-available S3 bucket to provide a prospective customer in the financial services industry non-production, read-only access to the software (a proof-of-concept). These components were not populated with data; no data from the financial institution was ever present in the test environment at any time, although the filename contained the name of the financial institution. There were no encryption keys contained in the appliance files posted as was erroneously reported. Rather, the file in question (client.key) is used to enable the Administration client within Birst's appliance to connect to the application server. At no time were any data, credentials, or configuration information from the financial institution compromised. Nevertheless, upon receiving notice in January, Birst immediately removed and disabled access to the Amazon S3 file.”
N.b.: The file "client.key" is an RSA private key.
The UpGuard Cyber Risk Team discovered a cloud-based data storage repository attributed to Birst, a business analytics software provider, that was left exposed to the public internet, revealing technical data about a Birst appliance. Although it appears that no customer data was exposed from this incident, it highlights the risks of using cloud storage for software delivery.
Exposed within the bucket were administrative access credentials, passwords, and a private key for use on the Birst appliance. When in production, Birst’s appliances provide security features that could normally mitigate the risk of a cloud leak; by entirely cutting the on-premises Birst cloud environment off from access to the wider internet, the likelihood of security misconfigurations resulting in the exposure of critical information would be diminished.
Left exposed, the credentials in the bucket reveal a roadmap of how to theoretically compromise a Birst appliance. While it is likely a local system with access in and out of the appliance’s production environment would first need to be compromised for further exploration to occur, the exposed data represents an unnecessary risk.
On January 15th, 2018, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon S3 storage bucket located at the subdomain “capitalone-appliance” and left configured for public access. That same day, Vickery contacted Capital One to alert them to their potential exposure. Within an hour a Capital One employee replied to Vickery to confirm that the bucket was no longer publicly accessible. The Capital One security team deserves recognition for their exceptionally fast response. While UpGuard has subsequently learned that the S3 bucket did not belong to Capital One, their action resulted in one of the fastest response times of any of the data exposures the UpGuard Cyber Risk team has secured to date.
The bucket, as indicated by its name, contained 50.4 GB of data across three distinct folders: “Birst Appliance 523,” “Birst Appliance 528,” and “Raw Time Tables.” While “Raw Time Tables” appears to contain no highly sensitive data, the “523” and “528” folders contained copies of successive versions of Birst’s on-premises multi-tenant cloud software. Capital One subsequently informed UpGuard that the appliance was created by Birst as a proof of concept test appliance that did not access Capital One data or connect to Capital One IT or business intelligence systems. UpGuard has not found evidence that that the S3 bucket contained Capital One customer or enterprise data.
What is an “on-premises multi-tenant cloud environment,” and why would a corporation deploy a system of the sort offered by Birst? By running a cloud environment confined only to on-premises systems, with no connection to the external internet, a cloud leak to the wider world is inherently difficult. By copying these appliance contents to a publicly accessible Amazon bucket as part of the software delivery method, however, this enclosure is broken, and information intended to remain within a private environment is instead accessible in the public cloud. In this case, the folder “Birst Appliance 528” was uploaded on November 13, 2017, leaving these contents available for approximately two months until access was removed on January 15 following UpGuard’s notification.
Were this appliance placed into an environment with production data, the exposed appliance provides a roadmap of where attackers would want to focus their energies in seeking to compromise local systems. Fortunately, that was not the case here. Of interest are the locations of the ports connecting the appliance with the other services that would feed its business intelligence dashboards. As Birst writes on their website, "Birst creates a set of interwoven analytics and BI instances that share a common data-as-a-service fabric." This data pooling makes the appliance a uniquely valuable target, providing access to data from Salesforce, JIRA, Marketo, and Amazon Web Services, among others.
A mitigating factor is that one would likely first need to compromise a customer’s local network to attempt to compromise the appliance. In itself, this cloud leak does not expose the private information stored in those other systems. Rather, this leak would multiply the effect of any successful attack– whether through phishing, malware, social engineering, or insider threat–to a potentially catastrophic scale. In a typical breach, attackers must perform considerable reconnaissance to successfully navigate inside a target's environment. With the information exposed in this bucket, a potential attacker would have a starting point for where to find data on infrastructure, sales forecasts, and product development. The architecture of the Birst product to centralize critical business information is what makes the heightened possibility of its exploitation so concerning even in the absence of a direct method for accessing the appliance.