While cloud-computing services are often touted as more secure than building and hosting applications in-house, that doesn't mean those cloud services are without their flaws. And with hackers increasingly looking to deploy their attacks through the software supply chain, cloud security is back in the spotlight.

Cybersecurity researchers found vulnerabilities in the infrastructure of a large software-as-a-service provider that, if exploited by an attacker, could've been used by cyber criminals as part of a cloud-based supply chain attack. 

Recommends

The best cybersecurity certifications

These certifications can help you enter an industry with a high demand for skilled staff.

The unspecified SaaS provider invited cybersecurity researchers at Palo Alto Networks to conduct a red team exercise on their development software pipeline in order to identify vulnerabilities in the supply chain.

SEE: A winning strategy for cybersecurity (ZDNet special report)

"In just three days, a single Unit 42 researcher discovered critical software development flaws that left the customer vulnerable to an attack similar to those on SolarWinds and Kaseya VSA," the security company said.

At a time when so many businesses are reliant on cloud services, it demonstrates how misconfigurations and vulnerabilities can have a huge impact if not managed properly because of the hundreds or even thousands of companies that are reliant on the infrastructure.

Initially provided with the limited developer access a contractor would have, the researchers managed to elevate privileges to the extent that they were able to gain administrator rights to the wider continuous integration (CI) cloud environment.  

Using this access, researchers examined as much of the environment as they could and were able to locate and gain access to 26 identity and access management (IAM) keys. Some of these contained hard-coded credentials that provided unauthorised access to additional areas of the cloud environment, which could be exploited to gain administrator access -allowing what should have been an account with limited access to gain privileges that open up the whole environment. 

While the company that had requested penetration testing was able to detect some of the activity researchers engaged in, it was only after administrator access had been gained that this was the case -in the event of a real attack, this would have been too late and attackers would have compromised the system.  

After the exercise, the researchers worked with the organization's security operations center, DevOps, and red and blue teams to develop a plan of action to tighten up security with a focus on the early identification of suspicious or malicious operations within their software development pipeline.

The researchers knew what they were looking for so were able to easily identify misconfigurations and vulnerabilities to exploit. While this might involve advanced knowledge of these environments and how to exploit them, it's the sort of thing that specialised attack operations like ransomware gangs or nation-state backed advanced persistent threat groups would also be familiar with -and will actively exploit if they can, as demonstrated by recent incidents. 

"Successful supply chain attacks are particularly devastating due to the widespread fallout of the attacks, for example potentially thousands of downstream customer environments being compromised. The risk of fallout conditions should mandate the increase of security mechanisms and procedures used to protect the supply chain", Nathaniel Quist, principal researcher at Unit 42 at Palo Alto Networks, told ZDNet. 

SEE: Cloud security in 2021: A business guide to essential tools and best practices

Part of the reason these environments can be exploited is because they're complex and can be difficult to secure