As more and more business organizations migrate their businesses to the
cloud computing environment, cybercriminals targeting them will also follow the cloud computing environment. Understanding the latest cloud attack technology can help organizations better respond to upcoming threats.
Next, we will discuss some of these common attack chains, as well as other
cloud attack techniques, which are the primary considerations for security professionals and cybercriminals.
1. Credential leaks lead to account hijacking
The disclosure of API credentials leading to account hijacking is a high-risk attack chain in the cloud platform. Mogull stated in his speech at the RSA Conference:
"This particular attack is indeed one of the most common types of attacks."
He said that through static credentials, an attacker can pretend to be a user to log in to the account and transfer funds out, because these credentials are usually used to log in and authorize operations in transactions. The reason why we must use these passwords is because users expect that certain on-premises data centers need to have certain user name/password credentials when talking to the cloud platform.
When an attacker obtains one of the access keys, they can use it on the host or platform under their control and execute API calls for malicious operations or privilege escalation. These keys are usually leaked through GitHub, BitBucket, shared images, and public snapshots. The cyber attacker decompiles the Google Play store application and extracts static credentials, which can then be used. Someone may hack into the developer’s laptop or instance and view their command history or configuration file to find the access key that allows them to enter the cloud computing environment.
Mogull said:
"In my opinion, this is indeed the largest single vector of cloud attacks today...it is one of many methods. Especially publishing content publicly."
He suggested that users should minimize the use of their credentials and scan them in the code repository and company GitHub. Because once these keys are publicly exposed, cyber attackers can attempt to attack your infrastructure in just a few minutes.
2. Configuration error
Starbucks Global Chief Information Security Officer (CISO) Andy Kirkland said in a speech at this year's CSA Information Summit that configuration errors are largely or at least partly a "shadow IT rebranding." Almost anyone can get an S3 bucket and use it as much as they want. Cyber attacks related to misconfigurations still occur because organizations often fail to protect their information stored in public clouds.
Access control may be set to public or anonymous; the bucket policy or network security policy may be too loose; or the public content delivery network (CDN) may be set to access private data. In the face of these situations, it is certain that the sensitive data placed in Object Storage is not properly protected. Cyber attackers can easily extract the data they want by scanning as long as they find any public data storage.
Mogull said that these default values are safe, but they can be easily exposed publicly. Cloud computing providers provide tools to reduce this situation, but for enterprise organizations, this is still a pain point. He suggested that organizations can conduct continuous assessments and pay special attention to object-level permissions: when changing bucket-level permissions, they don’t always change object-level permissions.
He says:
"These problems are really difficult to solve, because some organizations have thousands of objects in these environments, and now they have to try to find them. The best way is to use the control ‘don’t let anyone disclose this information’."
If you really need to disclose some content, you can configure the environment so that everything remains as it is, but you cannot disclose other content in the future.
3. Mainstream cloud computing services are popular targets
As more and more organizations migrate their businesses to the cloud environment, cybercriminals are also focusing their attention. This is particularly evident in phishing attacks that imitate the login pages of popular cloud computing services (such as Office 365). Cybercriminals are looking for credentials that can provide them with access to cloud computing services.
Jon Clay, Head of Global Threat Communications, Trend Micro said:
"Unfortunately, many organizations are still using weakly secured credentials. Part of the reason for using credential padding is that cyber attackers are beginning to use phishing emails with phishing pages to locate cloud infrastructure and accounts."
In its latest "Cyber Threat Index" survey report, Imperva pointed out that cybercriminals are making more use of public Yunziyuan. The report found that between November 2019 and December 2019, it originated from public sources. Cloud web attacks increased by 16%.
On another issue about the abuse of major cloud services, researchers reported a new download program, mainly used to download remote access Trojans and information stealing programs. According to Proofpoint:
"GuLoader is becoming more and more popular among multiple threat organizations and usually stores encrypted payloads on Google Drive or Microsoft OneDrive. It is often embedded in container files, such as .iso or .rar, among other things , The researchers also found that it can be downloaded directly from the cloud computing hosting platform."
4. Cryptomining (Cryptomining)
After entering the cloud, many network intruders will continue to conduct cryptocurrency mining activities: a low-threat, high-probability type of attack that most companies face. Mogull said that everyone with a cloud computing account has encountered this problem.
How is this kind of attack practiced? Network attackers can obtain RunInstance, virtual machine or container credentials, run large instances or virtual machines, run and inject Cryptominer and connect to the network, and then filter the results. Or, they may compromise leaked instances, virtual machines or containers and inject cryptocurrency miners into them. Shawn Harris, Chief Security Architect at Starbucks, said:
“Of all cyber attacks, 78% of cyber attacks are motivated by profit. Cryptocurrency mining is a very fast way to make money through access.”
Trend Micro’s Clay said that servers are still the best encryption platform, but attackers with access rights are taking steps to conceal their activities. In the past, attackers were accustomed to "robbing everything on the system," and this kind of publicity was easily noticed by victims. Now, they have learned to temper their behavior to avoid corporate surveillance.
5. Server-side request forgery
Server-side request forgery (SSRF) refers to the use of vulnerabilities to forge server-side requests, thereby breaking the limit that the client cannot obtain data. This is a dangerous method of attack and is becoming more and more serious in the cloud computing environment. Thanks to the metadata API, it allows applications to access the configuration, logs, credentials, and other information in the underlying cloud infrastructure, which makes SSRF a threat. The metadata API can only be accessed locally, but the SSRF vulnerability makes it accessible from the Internet. Once exploited, cyber attackers have the ability to move laterally and conduct network reconnaissance.
Mogull added that this is a more sophisticated type of attack. A network attacker will first identify an instance or container with potential server-side request forgery (SSRF) vulnerabilities, and use the instance or container to extract credentials through the metadata service, and then use the credentials to establish a session in the environment of the network attacker. Since then, attackers can execute API calls to elevate privileges or take other malicious measures.
However, for server-side request forgery ((SSRF)) to be successful, some work must be done: certain content must be disclosed to the Internet, it must contain server-side request forgery (SSRF) vulnerabilities, and it must have the ability to allow it to work elsewhere Identity and Access Management (IAM) permissions. In addition, it must have a version of the metadata service.
6. Gaps in the cloud supply chain
Song Haiyan, senior vice president and general manager of security markets at Splunk, believes that organizations have not fully considered cloud digital supply chains as potential security risks, nor have they considered the significance of incident response in this environment.
She explained that many of the services and applications we use... not just from one company. For example, when you order a car through a shared application, multiple participants are involved: a payment company that processes the transaction, and another company that provides GPS data. If someone breaks part of this process and sends people to the wrong place, how would you respond to incidents when all these APIs are controlled by different vendors?
In response, Song Haiyan added that we are in the API economy. The application is built using API services, but if a problem occurs in the cloud, the organization behind it will need proper visibility and processes to handle it. Do you have a service level agreement (SLA) and incident response procedures? How do we provide visibility and traceability? Do you know who your service provider is? Do you know the status of their reputation? Want to know, with a reputable supply Business cooperation will be very helpful to your business.
7. Brute force attacks and Access-as-a-Service (Access-as-a-Service)
For Trend Micro's Clay, brute force attacks are the top priority. He said that cyber attackers have begun to produce phishing emails with links to malicious pages related to cloud computing infrastructure and accounts. The pop-up window may induce the victim to enter information such as their username and password in the fake login page of the fake Office 365 and other cloud computing applications.
Cyber threat actors are looking for login credentials. Some attackers will use this access right to conduct cryptocurrency mining activities or find valuable data. Some attackers do nothing: they only need to buy Access-as-a-Service (Access-as-a-Service) on the dark web. A cyber attacker can access the cloud computing environment of an organization and then manage that access for another threat group. For example, the operator Emotet may sell its access rights to Sodinokibi or Ryuk ransomware operators. Clay pointed out that Access-as-a-Service (Access-as-a-Service) is very popular in the ransomware community because they can save the process of invading the target company.
People who provide Access-as-a-Service (Access-as-a-Service) can get money from criminal gangs, and criminals get money from victims. As this approach becomes more popular, we will also see less malware and more direct hacking activities.
