The cybersecurity threat landscape is vast, and we are often faced with the challenge of keeping in touch with novel attack techniques and new attack surfaces. As enterprises continue to transition to storing data and offering services through the cloud, we will continue to see an increase in threat activity relevant to all forms of cloud technology. In this post, I want to share a summary of the most dangerous cloud attack methods observed in the wild today, and offer some insight into how we at SentinelLabs perceive them. The examples included in this post are based on both active opportunistic and targeted attackers we observe.
One of the most commonly observed attacks in cloud networks is compromise through vulnerable services. Consequently, the criticality of running updated systems can not be overstated. What makes this particularly important for cloud services is the post-compromise actions often available to the attacker, such as lateral movement to major business systems and resources hosted in a cloud network, and the challenge victims face to respond effectively and in a timely manner.
One well known example of this type of attack was the immediate exploitation of the Apache Log4J vulnerability. Apache had a single vulnerability with massive impact across the world when it was discovered, yet there are so many other common services ripe for such attacks too. Victim organizations that relied on vulnerability scanners to identify and defend against the likes of Log4j were exposed to increased risk across their networks as the vulnerability was exploited a week before it was disclosed.
Log4J, like many other n-day vulnerabilities, was quickly abused by attackers. In this case, both opportunistic and targeted attackers made use of the vulnerability to achieve their objectives. The majority of observed attacks were opportunistic; however, in some rare cases, well resourced APTs also exploited the vulnerability, including those attributed to China and Iran.
The severity of attacks that occurred on the back of a vulnerability like this shows just how vital it is for enterprises to be able to detect malicious activity before a service is known to be vulnerable.
Configuration oversight is the most common cause of the vast majority of cloud storage data leaks. Organizations mistakenly leaving customer data publicly accessible, or easily accessible to attackers, has led to a climb in data leaks over the years. Again, this is not unique to the cloud. It is increasingly common due to the ease and hidden complexity of cloud storage configurations.
Additionally, configuration oversight is not limited to causing data leaks. In many cases, we have observed cloud hosts become infected with malware or further network access due to an attacker’s ability to inflict change on a system. For example, an opportunistic threat actor known as TeamTNT has been observed accessing unsecured Docker daemons to install and execute their own malicious images, infecting victims with a botnet and cryptocurrency miners. This is a simple but highly effective technique against organizations with misconfigured cloud services.
The range of applications common to cloud networks that can be abused when misconfigured is too large to dive into here. However, the takeaway is that a configuration oversight not only allows for commodity abuse but an extremely simple intrusion vector for a more capable threat actor. There is a reason we continue to observe the most dangerous APTs scanning the internet for such open doors: It is worth the effort.
Supply chain attacks hold a special place in the heart of attackers. While supply chain intrusions have been heavily reported on with the likes of Solarwinds, which was attributed to a Russian APT, there are others which are isolated to cloud networks and services.
One increasingly common supply chain attack method is the compromise of Docker Hub images. The previously mentioned TeamTNT has and continues to compromise Docker Hub images, leading to the infection of anyone installing and updating those trusted images. In their case, primary objectives include more generic botnet functionality and the use of miners. Docker admins should exercise caution when intaking new images, similar to the install of outside software into your network. Proper endpoint telemetry from hosts running such images is an ideal way to ensure nothing malicious activates after a delay in these types of deployments.
In terms of software supply chain, we are often faced with an ever growing set of opportunities for the attacker. As we observed in the 2021 compromise of the Codecov bash uploader, software can be compromised in such simple yet effective ways. In the Codecov compromise, a tool commonly used in the software development lifecycle was modified through an update to include a single line of code which went undiscovered for months. The code enabled the attacker to collect environment secrets. At this time we can not speak to the true intent of these attackers; however, it’s hard to disregard the simplicity and success of the intrusion. Such attacks will continue to be more common, particularly through open source software used globally.
Examples like those above can teach us an important lesson: So much of the cloud threat landscape centers around the desire to access the cloud management platform, especially privileged cloud accounts. It’s so critical to defend against cloud threats because they offer the attacker an opportunity to break the barrier of accessing information or control over a powerful, normally-trusted service.
An attacker with privileged access to the management platform of a cloud service, be it AWS GCP or Azure, can weave their way into many difficult-to-identify places. Thanks to the use of open source tools like Purple Panda, an attacker with their hands on stolen credentials can automate cloud privilege escalation and identify opportunities for lateral movement.
The ways that attackers seek such access are, again, quite vast. For example, we know opportunistic attackers scan online code and image repositories (Github, Docker Hub) for mistakenly leaked keys. This has allowed them to kick off supply chain attacks and general bulk data theft. Additionally, highly capable and well resourced targeted attackers like APT29 also place a deliberate effort into seeking such access for state-sponsored missions. Overall, this is a highly desirable level of access any attacker would enjoy, so it should be of the utmost importance for defenders to track.