Foreword: New types of attacks on the
cloud environment may not have attracted the attention of the security team, but the impact of these attacks may be catastrophic.
Cross-cloud attacks
Nedbal of security company ShieldX said that cyber attackers often use
public cloud environments to penetrate local data centers.
These types of threats arise when customers move one of their workloads to a public cloud environment and use Direct Connect (or any other VPN tunnel) to move between public clouds to
private clouds. If an attacker invades one of these environments, he can move laterally under the surveillance of security tools.
Nedbal said: "The second stage is more difficult to detect and can be transferred from the public cloud to the private data center." After the attacker scans the environment, he can use traditional vulnerabilities to gain an advantage in the public cloud.
He went on to say that such threats may be captured in the public cloud, but the defense capabilities are weaker than in the local environment. The attacker has advantages in moving between public and private clouds, and can use his location to persist in the target network.
"The cyber kill chain becomes a loop of cyber kills," Nedbal explained. "Start with reconnaissance, start spreading malware, move laterally, and then start reconnaissance again."
Orchestration attack
Cloud orchestration is used to provide servers, obtain and allocate storage capacity, process networks, create virtual machines and manage identities, and other tasks in the cloud. The goal of an orchestration attack is to steal reusable accounts or password keys in order to assign privileges to cloud resources. Nedbal said, for example, an attacker could use a stolen account to create a new virtual machine or access cloud storage.
He pointed out that their success depends on their privileges to steal accounts. However, once the business process account is compromised, the attacker can use its access rights to create backup accounts for himself, and then use these accounts to access other resources.
Nedbal went on to say that the orchestration attack is aimed at the cloud API layer, so it cannot be detected with standard network traffic inspection tools. The security team needs to observe both network-based behavior and account behavior.
Mining type cyber attack
Chiodi, a security expert at the security company RedLock, said that noise attacks are the main problem facing cloud computing throughout 2018, and mining-type cyber attacks are one of them.
He explained: "This is a very, very common phenomenon. If you pay attention to news in this area, you will notice that it has affected the valuation of cryptocurrencies, but in fact, cyber criminals steal computing power more than It is more profitable to steal actual data."
Chiodi went on to say that hackers used ciphers specifically for corporate public cloud environments because they are elastic computing environments. Many organizations do not have mature cloud security programs, which makes their cloud environment vulnerable to attacks. He pointed to two simultaneous factors: the immaturity of cloud security platforms and the increasing popularity of cryptocurrencies such as Bitcoin and Ethernet. These factors have driven the rise of encryption hijacking in the cloud.
"Every company has been affected," he pointed out. Cloud service providers are working hard to provide more help to users of their platforms. "The last thing they want to see is that people see public clouds as insecure."
Chiodi lists some countermeasures that companies can use to protect themselves: regularly rotating access keys, restricting outbound traffic, and installing encrypted interceptors for web browsers.
Cross-tenant attack
Nedbal said that if you are a cloud provider or provide computing resources for cloud tenants, your tenants can request to configure workloads. Tenants can exchange data and share services to generate traffic from existing resources, which is common in organizations with private data centers. Unfortunately, this communication leaves a security hole.
Since many tenants use the same cloud, the security boundary will gradually disappear no matter where the resources are located. This will cause problems when the IT organization and its assets grow, but the corresponding security protection equipment will not grow with it. If an employee is attacked, the attacker can use shared services to infiltrate financial, human, and other departments.
"If you are using services such as computing and network resources provided by cloud service providers, then security is even more important." Nedbal said. Cloud tenants can use the functions provided on the portal to configure private clouds, but the traffic in these networks is usually not sent through traditional security controls.
He added: "In order to provide services to tenants, you have to expand the scale of private data centers or private clouds." With the growth of private data centers and the reliance of enterprises on public cloud services, this will continue to be a problem. "The more clouds are used, the more related cross-cloud attacks."
Cross-data center attack
According to Nedbal of the security company ShieldX, once in the data center, attackers are usually not restricted from accessing sensitive resources.
Data centers use Point of Delivery (PoD) for management, or use modules to work together to deliver services. As the data center expands, it is common to connect these modules and add more content. Traffic should be redirected through a multi-layer system to protect PoD, but many companies ignore this and open up a potential attack vector. If part of the PoD is attacked, the attacker can spread from one data center to another.
Abuse of real-time metadata APIs
Chiodi said that the instant metadata API is a special feature provided by all cloud providers. Although there are no bugs or loopholes, considering that it does not run locally, it is usually not properly protected or monitored. An attacker may use it in two ways.
The first method is a weak reverse proxy. Reverse proxy is very common in public cloud environments, and it can be configured by setting the host to call the instant metadata API and obtain credentials. If you turn on the proxy in a cloud environment and you can configure it to access the Internet through a reverse proxy, you can store these credentials. He said: "If these access credentials are not properly set for a specific instance, they can do all the things that the instance is authorized to do."
The second method is through a malicious Docker image. Developers share Docker images through Docker Hub, but this convenience has led to the behavior of publicly trusting the images, and malicious commands can be used to obtain access keys. The attacker may access the public cloud account from the compromised container.
"The Instant Metadata API is a great feature, but you must know how to handle it." Chiodi recommends monitoring user behavior in the cloud and following the principle of least privilege when issuing credentials.
Serverless attack
Nedbal called this a "next level" cloud attack. Serverless or function as a service (FaaS) architecture is relatively new and popular because users do not have to deploy, maintain, and expand their own servers. Although it makes management easy, the tricky part of serverless architecture is the challenge of implementing security controls.
FaaS services usually have a writable temporary file system, so attackers can store their attack tools in the temporary file system. FaaS functions can access corporate databases with sensitive data. Therefore, attackers may leak data and use attack tools to steal data. Using the wrong privileges, FaaS features can help them create new virtual machines, access cloud storage, or create new accounts or tenants.
Nedbal said: "Traditional security controls can hardly do this, because serverless or function and service (FaaS) architectures can even take away virtual networks from security administrators." Traditional security controls are difficult to deal with serverless Attacks. For serverless attacks, you need a way to redirect traffic before it reaches the function as a service.
Cross-workload attacks
These types of attacks occur in the same tenant, and nothing can prevent workloads from communicating with each other in the same tenant or virtual network, so attacks on virtual desktops may spread to virtual web servers or databases.
Enterprises usually use untrusted virtual machines to browse and download online content. If anyone is infected and it runs on the same tenant as other workloads with sensitive data, then these may be affected.
"In order to reduce the risk of violations, workloads with different security requirements should be in different security areas," Nedbal said. "A rich set of security control measures should be used to check the traffic traversing these areas, just like the North-South traffic Security measures are the same.” However, he added that it is difficult to add security controls between workloads.