The attack that forced Code Spaces out of business – what went wrong?

When the news broke last week that Code Spaces – a code hosting and software collaboration platform – had gone out of business, it came as a bit of shock: this is one of the few publicly known cases where a company admits that it has ceased trading as a result of a cyber attack.

Following the attack, Code Spaces stated on its website: “As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us.

The attack

The attack on Code Spaces was an extortion attempt. It is not clear from the Code Spaces statement when the attacker had gained access to the Amazon EC2 control panel, but it is known that a DDoS attack was launched and a blackmail attempt was initiated with the attacker using a Hotmail account. Code Spaces currently have no indication that a malicious insider was involved.

When Code Spaces started to investigate, they found the user had control panel access but not the private keys, and they do not believe that protected machines had been accessed. This did not prevent artefacts being deleted via the control panel when the attacker realised Code Spaces was attempting to regain control. Code Spaces reported “In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.” The attackers appear to have delivered a fatal blow to Code Spaces.

How and when was access gained?

How and when access was gained is not clear. Access to the Amazon EC2 control could have been obtained through a vulnerability within the control panel, knowledge of the credentials or brute forcing the password. It is unlikely that a vulnerability in the panel was exploited, as there has not been a spate of attacks on Amazon EC2 control panel. Rather, it is more likely that it was a social engineering attack on an administrator during the DDoS attempt, or that the password was brute forced prior to the attack, which potentially indicates a weak password. It’s possible that, while trying to prevent the DDoS attack, an administrator responded to a phishing attempt for credentials that they might have been more sceptical of under normal circumstances.

Attackers are known to launch DDoS attacks to distract administrators from the hackers’ other activities trying to break into a site. During the DDoS attack, normal business activities such as responding to log events are ignored; under ordinary circumstances, these everyday activities would have indicated that malicious activities were underway.

Could anything have been done to prevent it?

Amazon Web Services customers are responsible for credential management to control access to the EC2 Control panel. Amazon, however, has built-in support for two-factor authentication that can be used with AWS accounts and accounts managed by the AWS Identity and Access Management (IAM) tool. AWS IAM enables control over user access, including individual credentials, role separation and least privilege.

During incident response, it is useful for the organisation to have the ability to easily pull the plug on Internet access, preventing remote access to servers., In this case, however, the infrastructure attacked was not owned by Code Space itself but part of a Cloud environment. Because of this, the ability to isolate a server from remote control is a lot more difficult.

Who else could be threatened?

This attack could be conducted against a large number of organisations, not necessarily restricted to those hosted in the Cloud. Organisations are not helping themselves in protecting sensitive data. In a recent survey by a team of researchers from Columbia University, reverse engineering of 880,000 applications found on Google Play revealed that the developers had hardcoded secret authentication keys in the apps. These can lead to attackers stealing server resources or user data available through services such as Amazon Web Services.

Extortion or blackmail are common threats on the Internet. The BBC has recently reported that Nokia “paid blackmail hackers millions” to keep source code and keys secret. Previously, it was the gambling industry that was prone to blackmail attempts via DDoS. With organisations increasingly dependent on the Internet, however, anyone could become a target.

As it appears that password compromise was the key factor, the secure use of strong passwords must be part of the organisation’s culture. Staff awareness combined with strong, computer-generated, random passwords and technology such as password vaults and two-factor authentication would mitigate attacks on passwords.