Sponsored By
Dark clouds in front of a sunny background
Source: Klod via Alamy Stock Photo

Several notorious cloud hacks between 2020 and 2022 were the result of simple technical errors that could have been thwarted by faster detection and response.

In a study of six major cloud security incidents in 2021-2022, Mohamed Shaaban, solution architect at Sysdig, found that attacks on the cloud are becoming more advanced, particularly in the volume of attacks and in attacker's use of automated tools, meaning defenders need to speed up their detection and response capabilities in order to thwart them.

Shaaban and his colleague Rafik Harabi will present a talk at Black Hat Middle East on "Lessons from 6 Headline-Grabbing Security Breaches" next week.

The researchers found some telling threads among the six incidents. Among them: attackers are building tools that automate the scanning, finding, and exploiting of the target in the attack, and they access systems via leaked credentials and common vulnerabilities.

The researchers selected attacks from different industries to analyze a range of cloud incidents:

  • PyTorch — In December 2022, an attacker used the PyPI code repository to download a compromised PyTorch dependency that included malicious code designed to steal system data. The attacker pretended to be an ethical hacker testing the system, and was only caught when they tried to obfuscate the malware and exfiltrate sensitive data.

  • MediBank — In November 2022, attackers gained access to internal systems via compromised login credentials, a tactic that "may have involved VPN access." After the attackers spent a month lurking on systems, they showed the bank what was stolen. However, the bank refused to pay a ransom demand, and the attacker published the data on the Dark Web.

  • Alibaba - Shanghai Police — In July 2022, a misconfigured Alibaba cloud server was left open on the Internet for over a year without a password, which led to 23TB of data being stolen and offered for sale on the hacker site Breach Forums. This 23TB file included the personal data of one billion Chinese citizens stored in the Shanghai National police database.

  • ONUS — Attackers exploited a vulnerable version of Log4j in December 2021 on Vietnam's largest crypto trading company. Attackers got away with around two million customer records including full names, E-KYC data, email addresses, phone numbers, encrypted passwords, and transaction histories.

  • Peloton — In May 2021, researchers determined that an unauthenticated user could view sensitive information for all users, watch live class statistics, and investigate other participants in the class — even if the user's account was set to private mode. The vulnerability meant user IDs, instructor IDs, group membership, location, and workout stats, as well as the gender and age of the user, were visible to an attacker.

  • Equinix — In September 2020, the data center provider suffered a ransomware attack that impacted some of the company's internal systems. The attackers apparently demanded a $4.5 million ransom from Equinix, claiming they were able to download sensitive data from the company's servers. They threatened to make the data public unless the ransom was paid. A nearly two-month investigation determined that no sensitive information on customer operations or customer information were affected, and data centers were not impacted by the incident.

Lessons Learned

Shaaban says the intention of the research into these attacks was to learn lessons of "what really went bad and what could have been done better." Those takeaways can help organizations reflect on their cloud environments and review the security controls and processes that they have put in place — especially by focusing on what the technical aspects of the incidents were and the long-term impact.

The researchers say the attack and response patterns in these incidents can provide insight into how to better protect and respond to cyber threats in the cloud.

Shaaban says one challenge is that security teams often must decide whether to have a prevention approach, where you harden your defenses, or to focus on detection and response, which requires multiple levels of security tools.

Therefore, he notes, a benchmark for detection and response is required, especially as defenders need to move faster in defense to protect a wider surface area and against attackers who can use automated tools in their attack efforts.

In that vein, Sysdig has proposed the 5/5/5 benchmark, where a company takes five seconds to detect, five minutes to triage, and five minutes to respond to a threat.

"In the cloud, because everything is really quick, we need everything to be fast, and we need the detections, triage, and response to be very fast, and this is why we have proposed the 5/5/5 benchmark," Shaaban says.

About the Author(s)

Dan Raywood, Senior Editor, Dark Reading

Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights