7 Cloud Attack Techniques You Should Worry About
Security pros detail the common and concerning ways attackers target enterprise cloud environments.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2c9bf0e1a853aecb/64f0d4766de137732e774253/SSCloudAttacksIntro.jpg?width=700&auto=webp&quality=80&disable=upscale)
As organizations transition to cloud environments, so too do the cybercriminals targeting them. Learning the latest attack techniques can help businesses better prepare for future threats.
"Any time you see technological change, I think you certainly see attackers flood to either attack that technological change or ride the wave of change," said Anthony Bettini, CTO of WhiteHat Security, in a panel at last week's RSA Conference. It can be overwhelming for security teams when organizations rush headfirst into the cloud without consulting them, putting data and processes at risk.
Attackers are always looking for new ways to leverage the cloud. Consider the recently discovered "Cloud Snooper" attack, which uses a rootkit to bring malicious traffic through a victim's Amazon Web Services environment and on-prem firewalls before dropping a remote access Trojan onto cloud-based servers. As these continue to pop up, many criminals rely on tried-and-true methods, like brute-forcing credentials or accessing data stored in a misconfigured S3 bucket. There's a lot to keep up with, security pros say.
"When you're taking your existing security skills and you're moving into an entirely different environment, then it's an incredible challenge to figure out what you really need to focus on, as well as what's going on out there in the real word," said Rich Mogull, analyst with Securosis and CISO of DisruptOps, in an RSA Conference talk about attack kill chains in the cloud.
Here we discuss some of these common kill chains, as well as other cloud attack techniques, that are top-of-mind for security pros and cybercriminals alike. Anything you're worried about that we didn't list here? Feel free to share your thoughts in the Comments section, below.
The exposure of API credentials leading to an account hijack is a high-severity, high-likelihood attack kill chain in the cloud. "This particular attack is really one of the most common ones," said Securosis' Mogull in an RSA Conference talk.
By static credentials, he means things like access keys or, in Azure, a software-as-a-service (SaaS) token. "We have to use these because if you want something on-premise that talks to cloud ... at some point you need the ability to have some sort of username/password credential," he explained.
When an attacker gets one of these access keys, they can use it from a host or platform under their control and execute API calls for malicious action or privilege escalation. Keys are often exposed via GitHub, BitBucket, shared images, snapshots -- "all over the place," he continued. Attackers decompile Google Play Store apps and pull static credentials, then use those. Someone could break into a developer's laptop or instance and look at their command history or configuration files to find an access key that would let them into a cloud environment.
"This really is the single biggest vector, I believe, for cloud attacks today ... one of these methods," Mogull said. "In particular, posting things publicly." He advised attendees to minimize use of their credentials and scan for them in code repositories and corporate GitHubs. Once these keys are publicly posted, he said, it's a matter of minutes before they're being attempted against your infrastructure.
Misconfiguration is in large part, or at least in some part, "the rebranding of shadow IT," said Starbucks global CISO Andy Kirkland in a talk at this year's CSA Summit. "Just about anyone can get an S3 bucket and do whatever they want with it." Attacks linked to misconfiguration still happen because organizations so frequently fail to protect their information in the public cloud.
In these scenarios, sensitive data is placed into object storage and improperly protected. Access control may be set to public or anonymous; bucket policy or network may be overly permissive; or the public CDN is set to access private data. An attacker scans for and discovers an open data store, then extracts the data they want.
"These default to secure, but they can be made public pretty easily," said Mogull of cloud buckets. Cloud providers provide tools to reduce this, but it can still be a pain for organizations. He advised continuous assessment and special attention to object-level permissions: When you change bucket-level permissions, he said, it doesn't always change object-level permissions.
"That's really hard to deal with because there's some organizations with many thousands and millions of objects in these environments that they now have to [go] through to try and find," he said. The best thing to do, he added, is use the control for "don't let anybody make this public." If something does need to be made public, Mogull said, you can configure the environment so everything is left as is, but nothing else can be made public in the future.
"More and more critical workloads are in the public cloud," said Johnnie Konstantas, senior director of security product management for Oracle Cloud. "I think ... the onus falls on public cloud providers to have this conversation and talk about what is to be done."
As organizations move to the cloud, cybercriminals continue to do the same. This is evident in phishing attacks mimicking the login pages of popular cloud services, like Office 365. Cybercriminals are after credentials that will give them the keys to cloud services.
"Unfortunately, a lot of people still use weak credentials," said Jon Clay, head of global threat communications for Trend Micro. "With credential stuffing ... part of that, attackers are starting to position phishing emails with phishing pages ties to cloud infrastructure and accounts."
Cybercriminals are making greater use of the public cloud, Imperva reports in its latest Cyber Threat Index, which found a 16% spike in Web attacks originating from the public cloud between November and December 2019. Amazon Web Services was the most popular source, accounting for 52.9% of all attacks originating in the public cloud. Imperva, which provided this stat after normalizing the data, says this indicates cloud providers should audit malicious behavior on their platforms.
In another twist on abuse of major cloud services, researchers have reported a new downloader in the wild mostly used to download remote access Trojans and information stealers. "GuLoader" is growing popular among multiple threat groups and typically stores encrypted payloads on Google Drive or Microsoft OneDrive, Proofpoint reports. It's often seen embedded in a container file, such as .iso or .rar, but researchers have also seen it downloaded directly from cloud hosting platforms.
When they do get into the cloud, many intruders continue to engage in cryptomining: a low-severity, high-likelihood attack that most businesses face. "Every one of you with a cloud account has dealt with this," said Mogull.
How it plays out: An attacker can obtain credentials with RunInstance, virtual machine, or a container, run a large instance or virtual machine, run and inject a cryptominer and connect to a network, and exfiltrate the results. Alternatively, they could compromise an exposed instance, virtual machine, or container and inject the cryptominer there. "Seventy-eight percent of all cyberattacks are financially driven," said Shawn Harris, managing principal security architect for Starbucks, in his RSA talk with Mogull. "This is a very fast way to monetize that access."
Servers are still the best platform to cryptomine with, said Trend Micro's Clay, but attackers with access are taking steps to conceal their activity. Many used to "grab everything on the system," which victims would notice. Now they are throttling their activity to fly under businesses' radar.
Server-side request forgery (SSRF) is a dangerous attack method and growing issue in cloud environments. SSRF is a threat due to the use of metadata API, which lets applications access configurations, logs, credentials, and other information in the underlying cloud infrastructure. Metadata API can only be accessed locally; however, an SSRF vulnerability makes it accessible from the Internet. If exploited, it could enable an attacker to move laterally and conduct network reconnaissance.
It's a more intricate attack, Mogull said. An attacker first identifies an instance or container with a potential SSRF flaw, exploits it to extract credentials via the metadata service, and establishes a session with credentials in the attacker's environment. From there, the attacker can execute an API call to escalate privileges or take other malicious actions.
A few things have to happen for SSRF to be successful: Something must be exposed to the Internet, it must contain an SSRF vulnerability, and it must have identity and access management (IAM) privileges that allow it to work someplace else. Now it must also have version one of the metadata service, he added.
Haiyan Song, senior vice president and general manager of security markets with Splunk, doesn't think organizations have given enough thought to the cloud digital supply chain as a potential security risk or considered the implications of incident response in this environment.
"A lot of the services we consume, applications we use ... it's never just from one company," she explains. When you order a car through a ride-sharing app, for example, there are several players involved: a payment company handling transactions, another providing GPS data. In the event someone breached a part of this process to send people to the wrong place, how would you proceed with incident response when all those APIs are controlled by different vendors?
"We're in the API economy," Song adds. Applications are built using API services, but if something goes wrong in the cloud, the organizations behind them will need visibility and processes in place to handle it. Is there a service-level agreement (SLA) and arrangement for incident response? How do we provide the visibility and tracing? Do you know who your providers are? Can you see their reputations? "It's helpful to know you're working with a vendor that's in good shape," she adds.
Brute-force attacks are top-of-mind for Trend Micro's Clay, who says attackers have begun to craft phishing emails with links to malicious pages tied to cloud infrastructure and accounts. Pop-ups may prompt victims to enter their usernames and passwords into fake login pages for Office 365 and other cloud applications.
"They're all looking for credentials," he says. Some attackers use the access for cryptomining or seeking data. Some don't do anything: One trend Clay sees growing is the sale of access-as-a-service on the Dark Web. Attackers gain access to an organization's cloud environment and then manage that access for another threat group; for example, the Emotet operators may sell their access to Sodinokibi or Ryuk ransomware operators. Clay notes this technique is popular among ransomware groups, who can bypass the effort of breaking into a target business.
"Access guys get the money from the criminal group, who get money from victims," he explains. "[We're] also starting to see less malware and more direct hacking once they're in."
Brute-force attacks are top-of-mind for Trend Micro's Clay, who says attackers have begun to craft phishing emails with links to malicious pages tied to cloud infrastructure and accounts. Pop-ups may prompt victims to enter their usernames and passwords into fake login pages for Office 365 and other cloud applications.
"They're all looking for credentials," he says. Some attackers use the access for cryptomining or seeking data. Some don't do anything: One trend Clay sees growing is the sale of access-as-a-service on the Dark Web. Attackers gain access to an organization's cloud environment and then manage that access for another threat group; for example, the Emotet operators may sell their access to Sodinokibi or Ryuk ransomware operators. Clay notes this technique is popular among ransomware groups, who can bypass the effort of breaking into a target business.
"Access guys get the money from the criminal group, who get money from victims," he explains. "[We're] also starting to see less malware and more direct hacking once they're in."
As organizations transition to cloud environments, so too do the cybercriminals targeting them. Learning the latest attack techniques can help businesses better prepare for future threats.
"Any time you see technological change, I think you certainly see attackers flood to either attack that technological change or ride the wave of change," said Anthony Bettini, CTO of WhiteHat Security, in a panel at last week's RSA Conference. It can be overwhelming for security teams when organizations rush headfirst into the cloud without consulting them, putting data and processes at risk.
Attackers are always looking for new ways to leverage the cloud. Consider the recently discovered "Cloud Snooper" attack, which uses a rootkit to bring malicious traffic through a victim's Amazon Web Services environment and on-prem firewalls before dropping a remote access Trojan onto cloud-based servers. As these continue to pop up, many criminals rely on tried-and-true methods, like brute-forcing credentials or accessing data stored in a misconfigured S3 bucket. There's a lot to keep up with, security pros say.
"When you're taking your existing security skills and you're moving into an entirely different environment, then it's an incredible challenge to figure out what you really need to focus on, as well as what's going on out there in the real word," said Rich Mogull, analyst with Securosis and CISO of DisruptOps, in an RSA Conference talk about attack kill chains in the cloud.
Here we discuss some of these common kill chains, as well as other cloud attack techniques, that are top-of-mind for security pros and cybercriminals alike. Anything you're worried about that we didn't list here? Feel free to share your thoughts in the Comments section, below.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024