Enterprising criminals are selling direct access to cloud accounts
Lacework released its cloud threat report, unveiling the new techniques and avenues cybercriminals are infiltrating to profit from businesses.
The rapid shift of applications and infrastructure to the cloud creates gaps in the security posture of organizations everywhere. This has increased the opportunities for cybercriminals to steal data, take advantage of an organization’s assets, and to gain illicit network access.
“It’s in enterprises’ best interest to start thinking of cybercriminals as business competitors,” said James Condon, Director of Research at Lacework.
“Last year alone, cybercrime and ransomware attacks cost companies $4 billion in damages. As more companies shift to cloud environments, we’re seeing an increase in demand for stolen access to cloud accounts and evolving techniques from cybercriminals, making enterprises even more vulnerable to cloud threats.”
Initial Access Brokers (IABs) expand to cloud accounts
As corporate infrastructure continues to expand to the cloud, so do opportunistic adversaries as they look to capitalize on the opportunity.
Illicit access into cloud infrastructure of companies with valuable data/resources or wide-reaching access into other organizations offers attackers an incredible return on investment. In particular, Amazon AWS, Google Cloud, and Azure administrative accounts are gaining popularity in underground marketplaces.
Threat actor campaigns continue to evolve
A variety of malicious activity originating from known adversary groups and malware families were observed:
- Botnet and custom miner: A new cluster of activity was recently discovered, linked to an adversary group campaign of infecting hosts, primarily through common cloud services, with a custom miner and IRC bot for further attacks and remote control. This cluster shows operations are evolving on many levels, including efforts of hiding botnet scale and mining profits.This is indicative of attacks growing in size.
- Docker image compromise: A threat actor backdoored legitimate Docker images in a supply chain-like attack. Networks running the trusted image were unknowingly infected. Developer teams need to be certain they know what’s in the image they pull. They need to validate the source or they could open a door to their environment.
Popular cloud relevant crimeware and actors
Cpuminer, the open-source multi-algorithm miner, has been legitimately used for years. However, an increase in its illicit use for cryptomining altcoins was observed.
Monero and XMRig are the most common accounts for cryptomining against cloud resources, hence activity involving lesser-seen coins and tools may be more likely to go undetected.
Cloud services probing
A range of telemetry in both product deployments and custom honeypots were captured, which allows to see trends relevant to cloud defense purposes. For these sources, many cloud-relevant applications are continually targeted, but AWS S3, SSH, Docker, SQL and Redis were found to be by far the most targeted.
Recommendations for defenders
- Ensure Docker sockets are not publicly exposed and appropriate firewall rules/security groups and other network controls are in place. This will help to prevent unauthorized access to network services running in an organization.
- Ensure the access policies you set via the console on S3 buckets are not being overridden by an automation tool. Frequent auditing of S3 policies and automation around S3 bucket creation can ensure data stays private.