IBM’s threat intelligence service X-Force this week released the 2021 X-Force Cloud Security Threat Landscape Report. The company spelled out that even though threat actors are relentless in their pursuit of cybercrime, it is organizations that are making it easy for them to exploit cloud security crammed with misconfigurations.
Threat actors are pivoting their malicious operations from on-premise environments to clouds, according to IBM. So much so that a quarter of all incidents that cloud-based threat intelligence platform IBM X-Force responded to involved attackers moving laterally to cloud environments. As a result, cloud resources are some of the most valued commodities being sold off on the dark web.
These revelations are from the IBM 2021 X-Force Cloud Security Threat Landscape Report. As of this writing, tens of thousands of cloud accounts are up for sale on dark web forums and marketplaces.
The need for the cloud as a basis of organization operations has become apparent for a while. It became crystal clear during stringent lockdowns imposed by governments globally to deter the spread of the Wuhan virus and contain the pandemic. During this time, the basics of businesses capsized as leaders initially scrambled for ways to stay afloat amidst the healthcare crisis.
As the pandemic raged on, cloud emerged as one of the winners, with its boons becoming evident. Remote work, distance learning, telehealth consultations, business continuity, business operations scalability became some of the drivers of accelerated adoption of the cloud. To put in perspective with some numbers, Gartner estimated cloud services to balloon to $304.9 billion in 2021, a growth rate of 18.4%Opens a new window .
That is not to say that this COVID-19-induced ‘new normal’ is the only factor that drives home the necessity of cloud computing and services. For instance, Gartner in November 2019, predicted a growth rate of 17%Opens a new window for cloud services. This is before the novel coronavirus was even detected in Wuhan, China, meaning Gartner’s prediction was based purely on the pre-COVID-19 normal estimates.
The actual cloud growth in 2020 was noted by IDC to be 24.1%Opens a new window , thus proving that while digital transformation efforts of organizations were pushing cloud adoption, it was COVID-19 that came across as a catalyst for executives to see the light in terms of the future of businesses.
The opportunity is absolutely huge, but researchers at IBM X-Force are here to tell you that the adoption of the cloud is laden with mistakes. Basically, if the opportunity is huge for businesses, it is equally huge for cybercriminals, who are always on the lookout for discovering weaknesses.
Findings from IBM’s 2021 X-Force Cloud Security Threat Landscape Report are based on dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident REsponse analysis and X-Force Threat Intelligence research. The research is based on data from the 12 months between July 2020 and June 2021.
What Makes Cloud Environments Susceptible to Threats?
Cloud vulnerabilities
Vulnerabilities that can blow open an organization’s security fabric protecting sensitive data are on the rise. According to IBM X-Force, vulnerabilities in cloud-deployed applications surged by 150% in the relevant time period. In total, more than 2,500 vulnerabilities were detected.
Rise in Cloud Vulnerabilities | Source: IBM X-ForceOpens a new window
Ironically, security is one of the major use cases of cloud environments. “Cloud environments are heavily traveled data highways and are appetizing to threat actors due to the target-rich attack surface,†IBM said.
Nearly half of these 2,500 cloud vulnerabilities were disclosed in the past 18 months. “While some of this growth can be attributed to better tracking (cloud vulnerabilities were added to MITRE’s CVE standards in January 2020), this steep growth emphasizes the importance of closely managing this growing risk as more vulnerabilities are exposed.â€
See Also: 92% of Organizations Are Threatened Due to Inadequate File Security Best Practices: Report
Most commonly exploited vulnerabilities
One is the usage of default security settings that may or may not be appropriate for a specific instance of cloud implementation. Such deployments, which can include insufficiently enforced network controls, are usually exposed to the internet. Remote Desktop Protocol (RDP) and object data stores holding nonpublic data are some of the examples.
Recently, a default setting for a certain API in Microsoft Power Apps, which users didn’t change, exposed 38 million data records of 47 public and private entities. This setting is on by default meaning the leak itself isn’t caused by a vulnerability in the exact sense of the word.
The second is inadequate access control mechanisms. This also involves a lack of Multifactor Authentication (MFA) for SaaS solutions and other federated services, which may have landing pages accessible from the internet.
The third is inadequate segmentation of virtual networks and trust relationships between on-premises and cloud computing environments. It usually enables a malicious actor to move laterally within the organizational infrastructure having several systems.
IBM also pointed out that organizations face a shortage of skills for threat monitoring, detection, and incident response. And since the cloud is a relatively recent phenomenon for most, they’re still undergoing a learning curve that hasn’t instilled the same level of confidence and expertise for cloud environments that they may have for on-premise environments.
Cloud misconfigurations
Cloud misconfigurations are proving to be a bigger problem than they ought to be. Sometimes, sensitive data being exposed on the open internet is not necessarily because of an intricate bug or vulnerability; it simply needs an employee to goof up just once. And with the scale of present-day clouds of which data storage is a huge part, chances of misconfigurations are high.
IBM found that two-thirds of cloud security incidents were directly caused by misconfigured API keys leading to ungranted access. Trend Micro also stated in January this year that 65-70%Opens a new window of all security issues in the cloud start with a misconfiguration.
Between 2018 and 2019, 33.4 billion recordsOpens a new window were exposed due to misconfigurations in the cloud, DivvyCloud found. Further, Rapid7’s assessment uncovered the fact that the median data exposure under a misconfigured cloud environment stood at 10 million recordsOpens a new window .
Finding such misconfigured cloud databases or storage blobs (object storage services) is a piece of cake through search engines such as Shodan. Once found, cybersecurity product comparison provider Comparitech estimates that a misconfigured cloud is attacked 18x per dayOpens a new window .
Threat actors usually deploy commodity and open-source info-stealers and malware to exfiltrate data from exposed — either through a misconfiguration or sophisticated vulnerability — storage blobs.
Where Do Cloud Resources End Up?
Nearly 30,000 cloud accounts are up for sale on a “thriving dark web market.†IBM’s analysis revealed. Since open-source malware is involved, the company said it is difficult to estimate how many threat actors are involved.
Each cloud account has a different value associated with it and is available for a few dollars to over $15,000 per account. The value of the account is dependent on the cloud credits the account holds, geography, and the access level to the owner organization (root access, less privileged users, etc.)
This makes sense considering cloud account credits can be used to avail additional computing resources from the cloud vendor. “On average, the price tag for cloud access rose an extra $1 for every $15-30 in credit the account held. An account with $5000 in available credit would be worth about $250 (a ratio of 20:1),†IBM explains. “The scheme of account access pricing is similar to the sale of fraudulent access to bank accounts, whose value increases the more money a victim has in the account.â€
The steep 20:1 ratio for cloud account value may have something to do with the fact that there is either a large supply of accounts or the demand is low. Sellers of such stolen accounts, according to IBM, offer warranties of access for up to seven or 14 days. If access is revoked, threat actors promise a full refund. And then there’s always the risk that the cloud vendor or the original victim will discover the compromised account and revoke access.
Stolen accounts may also be used for lateral movement within the network of the organization, which is why segmentation, filtering, firewall, proxy, etc., is a must.
See Also: Crypto Mining Has Roused Cybercriminal Interest in Breaking Linux: Trend Micro Report
Where Do Hackers Use Stolen Cloud Resources?
To make money!
Crypto or virtual currencies are a high growth sector, having registered record levels in the past 18 months. So the surge in cryptocurrency transactions and interest naturally attracted phishers.
John LaCourOpens a new window , founder and CTO, PhishLabs, saidOpens a new window , “As they’ve gained prominence, crypto exchanges are being targeted with many of the same cyber threats that larger, more established financial institutions have faced for years. Crypto firms need to be aware of and better prepared to deal with online impersonation and other scams.â€
More than half of system compromises by threat actors were used to mine cryptocurrency or launch ransomware attacks, according to IBM X-Force.
Additionally, coinminers or cryptocurrency mining malware are being deployed to target Linux-based clouds. Trend Micro discovered that almost one in four malware types targeting Linux is a coinminer. The reason is that most clouds run on Linux. Another report by PhishLabs revealed that phishing attacks against cryptocurrency increased 10 times in Q2 2021, compared to Q1 2021.
“Cloud environments are an attractive target for resource intensive cryptominers as they can provide scalable resources and processing power,†IBM X-Force said. “Also, cloud environments may not receive the same level of oversight as on-premises servers, which is appealing for threat actors and makes it easier for ‘noisy’ malware like DDoS bots and cryptominers to remain undetected for longer periods.â€
Besides coinminers/cryptominers, and ransomware, cloud environments are also targeted for botnets, banking trojans, command and control (C2) backend, and fileless malware.
Mitigating Cloud Threats
IBM X-Force suggests the following:Â
- Implement an open and integrated security approach.
- Leverage zero-trust approaches to security, such as virtual network segmentation.
- Evaluate trust relationships between on-premises and cloud environments.
- Monitoring and detection should encompass cloud environments besides on-premises.
- Minimize the risk of unauthorized access to the cloud with a bastion host that isolates private cloud networks from external networks, as well as the internet.
- Use firewalls and load balancers to filter out malice.
- Implement access control, identity and access management protocols such as the principle of least privilege, MFA, et al.
- Lifecycle governance is essential to keep cloud resources updated with relevant versions.
- Use tools to enforce compliance and security posture.
- Regularly conduct penetration testing and adversary simulation exercises.
- Automate incident response through artificial intelligence.
- Maintain forensic data.
Closing Thoughts
IBM research indicates that threats to the cloud aren’t going away anytime soon and will worsen before they get better. There is no one size fits all solution. Each organization will have to tailor its security needs and response paradigm in accordance with needs.
Let us know if you enjoyed reading this story on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!