In September 2013, we ran a live server exploitation exercise to see how long an unpatched and minimally configured cloud server instance could survive against financially motivated attackers when connected directly to the Internet. The exercise, referred to as The Gauntlet throughout the capture-the-flag-style contest, ran for 23 days across a collection of Microsoft Windows and Linux-based servers with varying combinations of applications and application frameworks installed.
Facilitated by our friends at Bugcrowd, the Gauntlet saw the capture of a total of 35 flags across the pool of targets and the successful capture of two flags in under four hours. This compromise allowed the attacker to claim the five-digit financial incentive designed to motivate the 367 participants.
- Some highlights from The Gauntlet include:
- Server fully compromised by a single individual in under four hours
- Six servers provisioned with a different Microsoft Windows Server or Linux-based operating systems
- Included 367 participants from 41 different countries
- 102 total security issues reported (90 successfully validated)
- 35 flags submitted over 23 days
In our opinion, the results of The Gauntlet exercise were very valuable and telling. Not only did the exercise reinforce the fact that financially motivated attackers were capable of exploiting servers and applications of different types, it also showed just how briefly carelessly deployed servers in cloud environments might survive.
Bloomberg BusinessWeek reporter Dune Lawrence‘s coverage of the report can be found here: http://www.businessweek.com/articles/2013-12-19/how-long-can-cloud-servers-hold-off-hackers-not-as-long-as-you-think.
The CloudPassage press release can be viewed here: http://www.marketwired.com/press-release/Hacker-Fully-Compromises-Cloud-Server-in-Under-Four-Hours-1864059.html.
The full report containing the winning exploitation method and other attack data can be downloaded here.