Although cloud adoption has been an inevitable imperative for some time and a driving force in changing how businesses operate, interact, and transact, the COVID-19 pandemic has dramatically accelerated the timeline.
Businesses have been either directly or indirectly forced to move their operations to the cloud and implement remote/hybrid working environments. The cloud still holds the promise of scalability, flexibility, and innovation which will be a key factor in remaining competitive.
However, the hasty adoption has left many businesses vulnerable, without adequate time to analyze risks as well as plan and implement adequate security measures, policies, and practices.
As always, cybercriminals were ready to pounce, and cybercrime surged in the wake of the pandemic.
In a year-long study by IBM’s X-Force threat intelligence team, the extent of the security threat in this new frontier was laid bare. They concluded that threat actors were stepping up their activity aimed at cloud systems in accordance with the increased adoption of SaaS, IaaS, and PaaS ecosystems by businesses.
However, an entire cybercrime economy seems to have sprung up, both aimed at leveraging and exploiting cloud systems.
One example is the increased availability of commodity malware Remote Access Trojans (RATs) and other off-the-shelf malware tools. These make it easy for even unsophisticated attackers to launch highly effective malware attacks against a wider range of targets. Often, this strategy is used by Initial Access Brokers (IABs) who sell stolen credentials or cookies to other threat actors or “big game hunters” on black markets. In this way, small and under-the-radar attacks by smaller actors can lead to much larger and more damaging attacks by more sophisticated actors.
Recently, an unsophisticated Nigerian-based actor has been found to be leeching on the airline industry in this way for at least five years.
In their own study, IBM’s X-Force discovered roughly 30,000 cloud credentials made available for sale on various dark web forums. Over 70% of the advertised credentials promised Remote Desktop Protocol (RDP) access to cloud resources.
Depending on the value of the credential in question, prices ranged from a few dollars to over $15,000 for a single listing.
It was also discovered that many attacks launched against cloud infrastructure was ransomware and cryptomining malware.
Leading factors making organizations vulnerable targets in the cloud
IBM identified several top contributors to leaked credentials or other security compromises in the cloud:
- Improperly configured APIs: Around 66% of breached cloud environments studied were a result of a misconfigured Application Programming Interface (APIs). Among these configurations were virtual machines exposed to the internet with default security settings as well as insufficiently enforced network controls.
- Password and policy violations: Human error has always been a leading contributor to security incidents, and the cloud is no exception. X-Force Red found password and policy violations in the vast majority of cloud penetration tests they conducted. This coincides with a significant growth in the severity of cloud vulnerabilities with a 150% increase in disclosed vulnerabilities over the last 5 years.
They also highlighted a lack of adequate expertise and confidence in developing and configuring security controls in cloud computing environments. This leads to a fragmented and more complex security perimeter that is tougher to manage and maintain.
How to protect your cloud systems
Based on their findings, X-Force had several suggestions for organizations looking to improve their cloud security posture. They highlighted overall modernization as a critical point of control measure for enhancing security.
However, most attacks can be prevented by simply tightening up the planning, implementation, and enforcement of appropriate security configurations and policies.
According to the study, nearly two-thirds of attacks could have been prevented with more robust hardening of systems. This includes enforcing security policies and patching vulnerabilities and exposures more quickly.
Organizations should try and limit their exposure to “Shadow IT” – systems cloud instances or resources that have not gone through an organization’s official channels. During the study, Shadow IT was found to be responsible for nearly 50% of incidents.
Make sure that policies are followed by all users, including strong credential guidelines, and that systems are not exposed to the internet with default security configurations.