The hack of SolarWinds Orion supply chain a few months ago might endanger Amazon Web Services and Microsoft Azure API keys and all related accounts.
Indeed, according to security company Ermetic, this attack doesn’t only affect the organizations’ on-premises systems but also their cloud-based infrastructure. Other experts reported that this could become a dangerous threat to cloud-based services.
It is a possibility that if the suspected attackers from Russian Intelligence agents were to extract and decrypt API keys from compromised Orion databases, they would then gain access to the related cloud-based services. The attackers could also use root API keys to get administrative access into any compromised accounts.
Therefore, it is essential that organizations take the fundamental precautions to protect their data and identify all exposed credentials. A series of actions in responses have been recommended such as rotating credentials, instituting least privilege protocols, and only deploying Orion on standalone and isolated accounts.
However, if Orion is deployed on an account that isn’t completely isolated from the rest of the cloud environment, everything that came into contact with the account could be compromised as well, as resources and identities are all still connected to the cloud. Similarly, any piece of a cloud environment that uses Orion IAM identity could be compromised as it would give attackers access to sensitive resources.
Hence, every company should put into place greater controls on internal access policies as well as do a manual review of every identity and resource to identify the extent of exposure and take effective action.
It is also vital that security teams understand what impact it could have on other clouds in order to determine the extent of the damage. Indeed, if other integration accounts are compromised, they then may be used to exfiltrate data or create residency on others, creating an even greater threat.