The cybersecurity landscape is constantly changing, and it is necessary to stay up to date with new techniques and surfaces of attack. As businesses continue to turn to the cloud to store their data and access services, the threats of these new technologies continue to grow.
Here is a summary of the most dangerous attack techniques observed to date.
One of the most common attacks seen on cloud networks is the compromise of weak services.
Therefore, it is important to update these systems to limit the risks. Particularly threatening to cloud services are actions after the compromise, such as lateral movement of key corporate systems and resources hosted on a cloud network. The main challenge for victims is to respond effectively and quickly.
Many of the affected companies, which rely on vulnerability scanners to identify and protect against such vulnerabilities, were exposed to increased risk in their networks, because the vulnerability was exploited a week before it was discovered.
A well -known example is the Apache Log4J, which when discovered had a huge impact around the world. The severity of attacks that occur as a result of such vulnerability demonstrates how important it is for organizations to identify malicious activity before a service is identified as vulnerable.
Incorrect configurations are the most common cause of data leakage in the cloud, where companies inadvertently leave customer data available to the public, making it easily exploited by cybercriminals.
These errors have led to increasing data leaks over the years. Again, this phenomenon is not cloud -specific, but it is becoming common, primarily due to the complexity of cloud configurations.
Moreover, monitoring these configurations is not only aimed at preventing data leaks. In many cases, it has also been found that cloud hosts may be infected with malware or additional network access, possibly related to system changes made by an attacker.
The TeamTNT hacker team thus accessed the insecure Docker Daemon to install and run its own malicious images, infecting victims via botnets or through cryptocurrency mining. This is a simple but very effective technique against companies with misconfigured cloud services.
The various cloud networking applications that can be compromised when misconfigured are too broad to discuss here. However, it should be noted that a configuration vigilance can not only produce a compromise of cloud services, but becomes a very simple vector of intrusion for a competent cybercriminal.
Supply chain attacks continue to increase. Some are clearly identified, including Solarwinds associated with a Russian APT, however, many others are isolated in cloud networks and services.
The increasingly common method of supply chain attack is the compromise of Docker Hub images.
TeamTNT, previously discussed, has compromised and continues to compromise Docker Hub images, resulting in compromise for anyone who installs and updates those images.
Their main objectives include more generic botnet functionality and the use of mining. Docker administrators should be careful when adding new images and installing external software on their network.
Proper telemetry of the endpoints operating such images helps ensure that nothing malicious will activate after a certain delay.
When it comes to the software supply chain, there are many opportunities for attackers. As observed during Codecov’s Bash uploader reporting tool compromise in 2021, software can be compromised as easily as its effectiveness.
This tool – which is commonly used in the lifecycle of software development – has been modified by an update, including a line of code, that has not been discovered for several months. This code allows the attacker to retrieve credentials stored in seamless environments and customer integration processes.
Currently, it is impossible to comment on the real intentions of these hackers, but such attacks will continue to become more frequent, especially through free software used around the world.
Such examples lead us to conclude that a large proportion of cloud -related threats are aimed at gaining access to the cloud management platform, particularly privileged cloud accounts. Defending against cloud-related threats is important because they give an attacker the ability to break the barrier of information access or control of a powerful and generally reliable service.
A hacker with privileged access to a cloud service’s management platform, whether it’s AWS GCP or Azure, can infiltrate many areas that are difficult to identify.
By using open source tools like Purple Panda, an attacker, with stolen credentials, can automate privilege increases and identify opportunities for lateral movement.
The methods used by attackers to gain such access are still numerous, such as analyzing online code and image repositories (Github, Docker Hub) that make it possible to find keys that have been hacked. leak inadvertently. It enables supply chain attacks and theft of bulk data.
In addition, highly-skilled and well-resourced hackers, such as APT29, seek this type of access for state-sponsored missions. Extra vigilance is therefore important because this level of access is, in general, specifically sought after by cybercriminals.
Attackers are increasingly targeting vulnerabilities in applications, open source software and cloud technology. Although the techniques used in these attacks vary, they are usually based on the fact that cloud networks are large, complex and difficult to manage.
Therefore, agent and container security solutions are essential to protect companies against threats on any type of cloud platform.