A company has been forced to close its doors after its AWS EC2 console was hacked, but it could have been prevented, cloud security experts said.
The company, Code Spaces, a code hosting company based in Coventry, UK, had at least six employees -- four developers, a CTO and a founder. Cached blog posts also show its customers had uploaded terabytes of data to its repositories hosted on AWS.
Code Spaces first fell victim to a distributed denial-of-service (DDoS) attack on June 17, according to a message posted on the company's homepage. An unauthorized person also logged in to the company's Amazon Web Services (AWS) Elastic Compute Cloud (EC2) console and left messages instructing the company's management to contact them via email.
"Reaching out to the [email] address started a chain of events that revolved around the person trying to extort a large fee in order to resolve the DDoS," the company said on its homepage. The company tried to change its passwords, but the intruder was prepared and already created a number of backup logins to the panel.
If you're going to put your eggs in the AWS basket, you have to have the mechanisms in place to really solidify that environment.
chief cloud architect, AMAG Pharmaceuticals
Code Spaces was able to get its panel access back, but not before the hacker removed all Elastic Block Storage (EBS) snapshots, Simple Storage Service bucks, AMIs, and some EBS and machine instances. Most of the company's data, backups, machine configurations and off-site backups were either partially or completely deleted, leaving Code Spaces unable to operate.
While AWS may have been able to intervene in this situation had it been alerted early enough, it's up to EC2 customers to make sure cloud security measures are in place.
"This is a going-out-of-business mistake," said Edward Haletky, CEO of The Virtualization Practice in Austin, Texas. "You cannot depend on Amazon to do everything for you. That's the key takeaway."
To be fair, Code Spaces had security measures in place, but exact details of the company's security efforts, beyond its encryption and SSL-enabled connections, are unknown. Requests to Code Spaces for comment have not been answered. AWS said the problems with Code Spaces are not related to any AWS service issue, and all of its services are operating as designed.
Cloud security measures to prevent attacks
Until it's known what measures Code Spaces took to prevent such an attack, it's not entirely clear what they could have done differently. But this attack may have been preventable, according to some AWS EC2 customers and cloud security experts.
Code Spaces reported it does not believe the hacker is -- or ever was -- a company employee. If true, then multifactor authentication, also known as two-factor authentication (2FA), might have spared the company from the second attack, if not the first.
"If you take identity and access management and you couple it with a secondary security measure, like for instance, 2FA, then you have a much stronger one-two punch," said Nathan McBride, chief cloud architect for AMAG Pharmaceuticals based in Waltham, Massachusetts.
These two security measures shouldn't be done through the same vendor, according to McBride, and alone are not enough to prevent such attacks.
McBride and others also questioned the company's response to the attack, wondering why AWS support wasn't immediately brought in to freeze the account when it was clear it had been hacked.
"It doesn't sound to me like they had a security response plan," McBride said. "It's no joke; if you're going to put your eggs in the AWS basket, you have to have the mechanisms in place to really solidify that environment."
This is also an object lesson in the importance of doing proper data protection when deploying in the cloud -- whether it's through on-premises backups or to a separate cloud -- to prevent the kind of data deletion that occurred in this case.
"It sounds like they kept everything in Amazon," Haletky said. "Where were the off-site backups? And why were they part of the control panel?"