Attacking hypervisors without exploits

Archive for January, 2014

Attacking hypervisors without exploits

Posted by

The OpenSSL website was defaced this past Sunday. (Click here to see a screenshot from @DaveAtErrata on Twitter.) On Wednesday, OpenSSL released an announcement that read: “Initial investigations show that the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration.” The announcement led to speculation that a hypervisor software exploit was being used in the wild.

Exploiting hypervisors, the foundation of infrastructure cloud computing, would be a big deal. To date, most attacks in the public cloud are pretty much the same as the traditional data center. People make the same sort of mistakes and missteps, regardless of hosting environment. A good place to study this is the Alert Logic State of Cloud Security Report, which concludes “It’s not that the cloud is inherently secure or insecure. It’s really about the quality of management applied to any IT environment.”

Some quick checking showed OpenSSL to be hosted by SpaceNet AG, which runs VMware vCloud off of HP Virtual Connect with NetApp and Hitachi storage. It was not long before VMware issued a clarification.

VMware: “We have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error.” OpenSSL then clarified: “Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server.”

No hypervisor exploit, no big deal. Right? Wrong.

Our security controls are built around owning the operating system and hardware. See, for example, the classic 10 Immutable Laws of Security. “Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore. Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” Hypervisor access lets the bad guy do both. It was just one wrong password choice. It was just one wrong networking choice for the management console. But it was game over for OpenSSL, and potentially any other customer hosted on that vCloud.

It does not take a software exploit to lead to a breach. Moreover, the absence of exploits is not the absence of lessons to be learned. Josh Little (@zombietango), a pentester who I work with, has long said “exploits are for amateurs”. When Josh carried out an assignment on a VMware shop recently, it was using a situation very much like the one at SpaceNet AG: he hopped onto the hypervisor management console. The point is to get in quickly, quietly, and easily. The technique is about finding the path of least resistance.

Leveraging architectural decisions and administration sloppiness is valid attack technique. Scale and automation, that is what changes with cloud computing. It is this change that magnifies otherwise small mistakes by IT operations and makes compromises like OpenSSL possible. Low quality IT management becomes even worse.

And cloud computing’s magnification effect on security is a big deal.

Happy New Year 2014

Posted by

TLDR: 2013 rocked and 2014 will be even better.

My 2013 resolution was “Read less, do more.” Do more, I did. Let’s recap.

Software development. I added new channels to the #incog library and rewrote it as a PowerShell module, which I released at a talk at Source Boston and taught at a workshop at Eastern Michigan University. I contributed to the PowerShell Security or PoshSec project, which I presented on with the project lead’s Matt Johnson, and this became one of the most popular talks on the #misec YouTube channel. I also contributed to a variety of side projects with Charles Green of SimplyCubed.

Systems engineering. My DevOps team at Munder Capital architected and designed a new private cloud infrastructure that offers significantly higher performance and security than public cloud, at a lower price point. I presented on both the design and on my team leadership at CIO Symposiums in Grand Rapids and Sioux Falls. I left Munder in August, confident in my team’s ability to execute on the vision.

Cyber security. I joined VioPoint as the VP of Consulting in August, and I have been building out the security team and the new Security Operations Center. Collaborating with MiSec, we began working on a threat modeling approach. It is a unique model in that it encompasses communication, threat intelligence, mitigating controls, and security exercises. We have since presented at this approach at a number of conferences and taught it at a workshop, and are working on a whitepaper.

This brings us to 2014, where my resolution is growth. Growth for my MiSec community. Growth for my VioPoint team. Growth for me, personally and professionally. We have expanded the MiSec monthly meeting space and we will be launching a new conference this summer. I will be adding several more talented folks to my VioPoint team, and expanding our security monitoring and testing services. You can expect to see me engaging more with the security community and being a bit more out in front than I have been in years past. It is time to take it up a notch.

As always, thank you for reading and joining me. Let’s roll.