author photo
By Bruce Sussman
Thu | Aug 29, 2019 | 11:07 AM PDT

We just learned a lot more about accused Capital One hacker Paige Thompson.

Including the fact that she hacked a lot more than Capital One.

A U.S. federal grand jury indicted her this week. And the court documents SecureWorld reviewed show that her hacking targeted dozens of companies, involved cryptojacking, and had a very specific reason for selecting the targets she did.

And that reason is something every organization in the cloud should know about.

Let's start with the scope of the crimes.

How many organizations did the Capital One hacker target?

According to page 4 of the grand jury indictment, Thompson "copied and stole data from more than 30 different entities."

Most of the organizations are not described, except for vague mentions of three of them:

"Victim... is a state agency that is not the State of Washington." (Washington State where Thompson is being jailed.)

"Victim... is a telecommunications conglomerate located outside the United States that provides services predominantly to customers in Europe, Asia, Africa and Oceania."

"Victim... is a public research university located outside the State of Washington."

For now, we'll go with these industry verticals: government, education, and telecommunications.

How did the Capital One hacker choose her victims?

The indictment reveals, for the first time, that every single one of Paige Thompson's targets are customers of Amazon Web Services (AWS) where she had previously worked.

And the way she chose her victims should not be a surprise to anyone in cybersecurity circles.

She went after cloud misconfigurations, which we hear discussed at every SecureWorld conference across North America.

Page 3 of the indictment reads:

"It was part of the scheme and artifice that Paige A. Thompson used, and created, scanners that allowed her to scan the publicly facing portion of servers rented or contracted from the cloud computing company, and to identify servers for which web applications firewall misconfigurations permitted commands sent from outside the servers to reach and be executed by the servers."

Now we know why AWS announced a major cloud security change last week. In a letter to U.S. Senator Ron Wyden of Oregon, AWS wrote:

"We will proactively scan the public IP space for our customers' firewall resources to try to assess whether they may have misconfigurations."

[MORE: 3 Changes AWS Is Making After Capital One Hack]

Also, the Cloud Security Alliance just listed the top threats to cloud computing this year.

"Misconfiguration" was ranked number 2. Perhaps this series of attacks on the cloud will push misconfiguration up to number one; we'll see.

Capital One hacker also got into cryptojacking

And here was more news from the indictment. At least some of the time, Thompson went after money from cryptomining:

"... used her unauthorized access to certain victim servers—and the stolen computing power of those servers—to mine cryptocurrency for her benefit, a practice often referred to as 'cryptojacking.'"

[RELATED: How to File a Cryptojacking Complaint]

After reading all of these allegations, you may be wondering, how long did all of this hacking and cryptojacking go on?

According to the indictment, Paige A. Thompson hacked companies in the cloud from approximately March to July of 2019. 

For more on how she was caught, read Capital One Data Stolen by Seattle Woman.

Also, you can download the federal grand jury indictment here: United States of America vs. Paige A. Thompson.

And after you read it, be sure to check your cloud configurations.

Cloud security tools don't mean automatic security

Nathan Schmidt, who is Sr. Solutions Architect at Thales eSecurity, puts it like this:

"At the end of the day, regardless of how much security is presumed to be good enough or supposedly baked into the new, hot PaaS cloud offering, it can be a false sense of security. You can't simply buy security. You'll have to be an active participant in protecting your data and your customers' data."

Learn more in the SecureWorld web conference, Cloudy with a Chance of Breach, which is available on-demand.

[RELATED: AWS Cloud Security Visibility: Myths vs. Reality]

Comments