Cloud Security, Breach, Network Security

Researchers disclose cloud vulnerability of accounting firm Moss Adams

A VPNOverview security team disclosed June 21 uncovering a vulnerability in a cloud computing platform of accounting firm Moss Adams. Pictured: A security logo is shown on screen during a keynote address at CES 2016 on Jan. 7, 2016, in Las Vegas. (Photo by Ethan Miller/Getty Images)

Network security experts on Tuesday disclosed they uncovered a potentially damaging security gap in the publicly accessible cloud computing platform of accounting and wealth management firm Moss Adams.

In April, a security team at VPNOverview initially found what it deemed “an improperly stored virtual machine image [belonging] to Moss Adams ... which was stored in a publicly accessible Amazon Web Services S3 bucket, [and] did not require a password,” according to a blog post on the website of the Dutch company that researches and reviews virtual private network security issues worldwide. Moss Adams LLP is one of the country’s largest and most prestigious public accounting and wealth management firms, employing nearly 4,000 financial professionals.

“We disclosed the breach on April 15, and Moss Adams secured their cloud network shortly afterward,” according to the security researcher’s post, authored by Mirza Silajdzic, cybersecurity researcher at VPNOverview. He added that his security team was able to enter Moss Adams’s corporate cloud “using an RSA key from the virtual machine’s [VM] filesystem. The key allowed us to log in to a workstation and access sensitive information.”

No customer data was exposed during the course of the investigation.

Aaron Phillips, the cybersecurity expert at VPNOverview who led the research on the breach, pointed out that by sharing “an RSA key that gave us workstation access to their private cloud ... we were able to interact with systems that are typically not accessible.

“The workstation belongs to their internal cybersecurity team, and it contained sensitive information that would have been useful to hackers,” Phillips said in an interview. “Moss Adams was quick to close the breach [since] there was significant risk to their systems.”

The wealth management firm responded by closing the gap and securing their cloud in less than a week, according to Phillips.

During its penetration test, the security researchers “downloaded a VM image and mounted the file system, bypassing the passwords associated with the machine. From there, we were able to explore the filesystem of the VM image,” according to Silajdzic’s post.

The VPNOverview team discovered an RSA key and a Linux service file containing a connection string, which they used to connect to a cloud workstation using Secure Shell (SSH), and thus accessed a Moss Adams cybersecurity team workstation. No Moss Adams customer data resided on the workstation, or was accessed, VPNOverview said.

Less than three years ago, Moss Adams gave notice that it suffered a breach to an employee email account in October 2019, which compromised personal identifiable information (PII). At the time, the stolen customer data included an undisclosed number of employee and customer names and Social Security numbers.

While seemingly nipped in the bud, the most recent incident shows the type of potential loophole that cybercriminals are increasingly seeking out and preying upon as they expand their target vectors to more upscale financial institutions, like wealth management firms.

Case in point: Morgan Stanley Wealth Management faced a series of social engineering and voice-based phishing attacks earlier this year. While accessing the networks of these high-end, white-shoe financial providers may be considered more difficult, the customer and even employee data is often considered more valuable to cybercriminals, since these firms tend to handle clients with larger balances and more valuable assets in general.

Financial institutions must be particularly aware not to leave VM images openly accessible in their cloud networks, since they often can lead to more sensitive information.

“In this case, that’s exactly what we found,” Phillips said in VPNOverview’s blog post. According to security researchers, if Moss Adams “had not accidentally shared the connection string to the machine in a service file,” accessing the firm’s internal workstation would not have been possible. Hence, this reported security glitch serves as a reminder that even large and prominent financial institutions must be vigilant when it comes to securing all possible networks, on the cloud as well as internally.

Moss Adams is a top 15 leading accounting and consulting firm,” Silajdzic said in an interview. “The data they hold is of important value. As such, you have to think about plugging all the holes so the boat doesn’t capsize, so to speak. One slip-up and you could have yourself a nightmare situation.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.