Cayman Islands investment fund left entire filestore viewable by world+dog in unsecured Azure blob

Blank share certificates, passport scans, you name it


Exclusive A Cayman Islands-based investment fund has exposed its entire backups to the internet after failing to properly configure a secure Microsoft Azure blob.

Details of the fund's register of members and correspondence with its investors could be freely read by anyone with the URL to its Azure blob, the Microsoft equivalent of an Amazon Web Services S3 storage bucket.

As well as publicly exposing who its shareholders are, how many shares they hold, and the value of those holdings, the fund – which The Register is not naming after it agreed to talk in depth about its incident response process – had also saved a scanned copy of its online banking PIN to the blob. The Register viewed a subset of files from the blob to confirm their ownership and authenticity.

The fund's online banking PIN was one of the files anyone could have viewed on its unsecured Azure blob

The fund's online banking PIN was one of the files anyone could have viewed on its unsecured Azure blob

The blob address was indexed by a specialised search engine and was pointed out to The Register by an incredulous infosec source who wisecracked: "Money money money... must be funny... in a rich man's world."

The unnamed fund's incident response consisted of disregarding the initial notification from The Register before asking a staffer with a compsci degree if he thought there was cause for concern. Luckily, that person realised what we were trying to tell them.

The fund's register of members (shareholders) – one of the things that Cayman Islands companies are not obliged to file with local authorities in the British Overseas Territory

The fund's register of members (shareholders) – one of the things that Cayman Islands companies are not obliged to file with local authorities in the British Overseas Territory

He said: "We use Azure for our server backup, it's not our day-to-day server: people have set that up for us as a backup for disaster recovery and so on."

The person, who described himself as a compsci grad with a strong maths background, said his bosses asked him to look at our email again just in case there was something more to it "than a phishing attempt".

Sensitive internal documents including itemised bank statements could be viewed by anyone on the Azure blob

Sensitive internal documents including itemised bank statements could be viewed by anyone on the Azure blob

Documents seen by The Register in the unsecured blob stretch back years and include: scans of directors' passports; letters to and from investors including commented files sent during commercial negotiations; term sheets; share certificates (including blank copies); documents signed by its directors and more.

The compsci chap continued: "This was the [backup] solution provided by our IT vendor in Hong Kong which we saw as fairly normal cloud provision. Clearly there's some security issue there!"

Not only were completed share certificates scanned and uploaded but also blank copies, along with directors' signatures scanned and uploaded but also blank copies, along with directors' signatures

Not only were completed share certificates scanned and uploaded but also blank copies, along with directors' signatures

He also added that the fund's IT provider had removed all of its files from its Azure blob as a result of the breach, while expressing some doubts about the IT provider's claim that Microsoft had ignored their requests for help over the weekend.

The fund, which falls into the smaller end of the SME bracket when judged on headcount, appears to have the same level of in-house IT expertise as any other small firm whose main business is not focused on IT; not a lot. They were completely unaware of how Azure operated or how their files had been exposed to anyone with a web browser and appeared to be totally reliant on their IT provider for everything other than basic office productivity software.

One of the fund's directors had scanned all the identity pages of his passport. This was indexed by a search engine for anyone to view and copy

One of the fund's directors had scanned all the identity pages of his passport. This was indexed by a search engine for anyone to view and copy

The firm claims to have $500m under management, with its investors including sovereign wealth funds, prominent financial institutions, corporations and family offices. One of its investors is Rothschild & Co, the well-known investment bank. While Rothschild did not respond to our request for comment, it did pass El Reg's request to the fund, alerting it to its Azure woes.

Azure blob misconfigurations have been rather lower profile than publicised isses with AWS S3 buckets but, like Amazon, Microsoft has rolled out tools for checking one's storage is secure. Such tools are only useful if they're actually, you know, used.

Last year an Automated Number Plate Recognition (ANPR) operator in the UK left millions of CCTV images accessible online from an unsecured Azure blob that, like this fund's setup, had no login or authentication controls applied to it. ANPR typically works by applying image-recognition software to photos captured by bog-standard CCTV cameras; in that case the raw images were stored in a location that was accessible to anyone with a web browser.

Aaron Zander of HackerOne commented to The Register: "In the past year, hackers on the HackerOne platform earned $260,000 in bounties for misconfiguration-related vulnerabilities."

Just because it ain't AWS doesn't mean it can't be left unsecured. ®

Similar topics


Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Scribble to app: Microsoft's Power Apps VP talks us through 'Express design'
    Recognizing your doodles and building some software – or that's the idea

    Interview "We implemented this as an 'AI+human' experience," said Ryan Cunningham, VP of Power Apps, "and not 'AI does it 100 percent for you' experience."

    He was speaking about Power Apps, Microsoft's graphical software for creating low code applications, which is previewing a new feature called "Express design" that recognizes your scribbles.

    The thinking is that as a human tells the tools what's what, the AI gets trained over time.

    Continue reading
  • Microsoft Azure to spin up AMD MI200 GPU clusters for 'large scale' AI training
    Windows giant carries a PyTorch for chip designer and its rival Nvidia

    Microsoft Build Microsoft Azure on Thursday revealed it will use AMD's top-tier MI200 Instinct GPUs to perform “large-scale” AI training in the cloud.

    “Azure will be the first public cloud to deploy clusters of AMD's flagship MI200 GPUs for large-scale AI training,” Microsoft CTO Kevin Scott said during the company’s Build conference this week. “We've already started testing these clusters using some of our own AI workloads with great performance.”

    AMD launched its MI200-series GPUs at its Accelerated Datacenter event last fall. The GPUs are based on AMD’s CDNA2 architecture and pack 58 billion transistors and up to 128GB of high-bandwidth memory into a dual-die package.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022