In the wake of a string of data exposures originating from Pentagon intelligence-gathering agencies, critical, highly classified data belonging to the United States Army Intelligence and Security Command (INSCOM) has been found in an unsecured open database on the internet.
The UpGuard Cyber Risk Team found the data from INSCOM, a joint US Army and National Security Agency (NSA) Defense Department command tasked with gathering intelligence for US military and political leaders, exposed to anyone with an internet connection in an Amazon Web Services S3 cloud storage bucket. Unfortunately, this is just the latest exposure due to a misconfiguration—the problem has become endemic.
It said that among the downloadable assets is classified data labeled Top Secret and NOFORN—a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies. Further, the subdomain name for the S3 bucket, INSCOM, provides "little ambiguity to any bad guys seeking to determine the data’s significance," the firm pointed out.
The exposed data also reveals sensitive details concerning the Defense Department’s battlefield intelligence platform, the Distributed Common Ground System—Army (DCGS-A) as well as the platform’s cloud auxiliary, codenamed “Red Disk.” Also exposed are a virtual drive used for receiving, transmitting, and handling classified data, and private keys used for accessing distributed intelligence systems, belonging to administrators from a now-defunct third-party contractor. This cache included hashed passwords which, if still valid and cracked, could be used to further access internal systems at the Pentagon.
“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” the firm said, in a blog. “This cloud leak follows a number of previous Cyber Risk Team reports detailing Pentagon data exposures from within the US Central Command, US Pacific Command, and the National Geospatial-Intelligence Agency, a Defense Department agency tasked with acquiring and analyzing satellite imagery intelligence. Such continual and apparently accidental exposure of classified national security data to the wider internet is proof that even the most secretive corners of the IT landscape are not immune to the cyber risks befalling any enterprise operating at scale.”
There also are indications that some of the data in the bucket had been accessed and worked upon by Invertix, an external third-party vendor.
“Third-party vendor risk remains a silent killer for enterprise cyber-resilience. The transfer of information to an external contractor, such as Invertix, exposes the originating enterprise (in this case, INSCOM) to the consequences of a breach, but without direct oversight of how the data is handled,” UpGuard said. “Invertix has since merged into a new corporation, Altamira…If the right hand does not know what the left hand is doing, the entire body will be injured. The Defense Department must have full oversight into how their data is handled by external partners, and be able to react quickly should disaster strike.”
The misconfiguration was discovered in late September, after which UpGuard helped the military secure the information, it said.
Threat Stack CSO Sam Bisbee told Infosecurity that infrastructure has now outpaced security, and that we will likely see more of these types of breaches in the public and private sectors, especially as holiday season infrastructure goes live.
“The market’s investment in services and tools to automate business processes without incurring heavy maintenance costs has outpaced investment in the methods to secure them,” he said. “Sometimes it’s safer to bring commoditized systems that are likely to leak sensitive information, such as log aggregation, into your own environment since they have become too cheap to maintain. As usage of services like GitHub and AWS S3 grow, organizations of all sizes must understand whether the services they use to store data are in fact risk-appropriate for the type of data they put into them. Security and operations teams have an opportunity to work together to help their enterprises manage the risk of data breach by auditing their current environments to understand what data is expected to be stored in them versus what is actually stored in them, the relative safety of the storage services, and then establishing appropriate controls and monitoring for when, how, and where data is accessed.”