Network security experts found a way into the Moss Adams cloud network

Network security experts found a way into the Moss Adams cloud network

We learned this week that benevolent hackers found a vulnerability in Moss Adams a few months ago and detailed their findings in a blog post on Tuesday.

Via VPNSummary:

The VPNOverview security team discovered in April an improperly stored virtual machine (VM) image belonging to Moss Adams, one of the largest public accounting firms in the US.

Access to the image, which was stored in a publicly accessible Amazon Web Services S3 bucket, did not require a password. We disclosed the breach on April 15, and Moss Adams secured his network in the cloud shortly after.

Our team could log into the Moss Adams corporate cloud using an RSA key from the VM’s file system. The key allowed us to log into a workstation and access sensitive information. No customer data was exposed during the course of this investigation.

An SC Media article about the incident says “Moss Adams LLP is one of the nation’s largest and most prestigious public accounting and wealth management firms, employing nearly 4,000 financial professionals.” you will notice Moss Adams is ranked #10 in Vault’s Most Prestigious Accounting Firms list, the authority in prestige of public accounting.

Hilariously, that same SC Media article links to a post by Moss Adams himself on the intangible costs of a cyber breach:

One of the most important components of cyber risk management is prevention. Some organizations, however, sometimes don’t realize that data breaches can cost more than the loss of data or systems access.

The consequences of a cyber breach can affect various business relationships: insurance companies, banking institutions, investors or potential buyers, for example. The implications of those intangible costs often mean that companies must meet criteria that help them assess the safety of companies.

VPNOverview said a thorough examination of the file system revealed sensitive information but no data pertaining to Moss Adams clients.

Screenshot of the Moss Adams cybersecurity breach
via VPNSummary

In a statement to VPNOverview, Moss Adams suggested that customer data was never at risk if more nefarious individuals duplicated VPNOverview’s actions: “This AWS instance was completely isolated from Moss Adams’ corporate IT environment, systems, and data. related customer data. The fact is that we do not currently use AWS to host any of our corporate systems or customer data. This AWS instance was used solely for the purpose of external penetration testing and hosting related tools that we do not want hosted or commingled within our corporate production environment.” The breach was discovered on April 14, 2022 and reported to Moss Adams the following day, Moss Adams closed the breach on April 20.

“In this case, a series of small errors and misconfigurations gave us access to the workstation of one of the largest accounting firms in the United States. The irony is that Moss Adams is more prepared to deal with a cyberattack than most companies, but it only takes one mistake to open unexpected avenues of attack. A compromised pentesting instance is an ideal place to launch further attacks. I am relieved that none of Moss Adams’ customers were exposed,” said Aaron Phillips, the cybersecurity professional who led VPNOverview’s investigation into this breach.

This is not the first time Moss Adams data has been vulnerable. In 2020, Moss Adams reported that an employee’s email account was compromised in late 2019 and unsavory characters gained access to various personally identifiable information (PII), including names and Social Security numbers. California law requires a business or state agency to notify any California resident whose unencrypted personal information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person and that a sample copy must be sent. of a notice of infringement sent to more than 500 California residents. provided to the California Attorney General. A footnote in the sample notice of default provided to California AG [PDF] by Moss Adams says the company conducts audits of employee benefit plans for current or former employers of affected individuals, so they had PII on these individuals.

VPNO says that the Moss Adams cloud is now secure.

Breach exposes Moss Adams cloud workstation and sensitive data [VPNOverview]
Researchers Reveal Cloud Vulnerability at Accounting Firm Moss Adams [SC Media]

Latest Accounting Jobs – Apply Now:

Do you have anything to add to this story? Give us a shout by email, Twitteror text or call the information line at 202-505-8885. As always, all tips are anonymous.

Leave a Comment