New research from Atlas VPN shows that cloud-native exploits on major cloud service providers (CSPs) declined during the first four months of 2022.
Cloud-native exploits dropped by 25%, from 71 exploits in the first four months of 2021 to 53 exploits in the first four months of this year, Atlas researcher Ruta Cizinauskaite told the E-Commerce Times.
Although those numbers may seem small, they are significant, maintained Paolo Passeri, a cyber intelligence principal at Netskope, a Security Service Edge provider in Santa Clara, Calif., and author of the Hackmageddon blog, from where Atlas obtained the data for its report.
“This is only the so-called tip of the iceberg, that is, campaigns that have been unearthed and disclosed by security researchers,” he told the E-Commerce Times.
One of the most targeted CSPs during the period was Amazon Web Services (AWS), Cizinauskaite wrote in the report released June 8. “[AWS] suffered the most cloud-native exploits among cloud service providers as of April 2022,” she reported. “In total, it experienced 10 cloud-native exploits accounting for nearly a fifth (18.9%) of all such events in the first four months of this year.”
She explained that cloud-native threats refer to cyber events that exploit the cloud in one or more stages of the “kill chain,” a cybersecurity model that identifies the typical steps taken by hackers during a cyberattack.
Tool for Mischief
For hackers, Amazon — which, with a third of the CSP market, is top dog — is a robust battleground where an attacker can never run out of targets, Alon Gal, co-founder and CTO of Hudson Rock, a threat intelligence company in Tel Aviv, Israel, told the E-Commerce Times.
AWS is also a flexible tool that can be used for multiple purposes, Passeri added. For example, AWS can be used to host a malicious payload delivered during an attack, as a command-and-control center for malware or to provide the infrastructure to exfiltrate data, he explained.
“As trust in cloud service providers has increased, so has the attraction for cybercriminals that target selected external services with sophisticated yet expected techniques,” Gal observed.
“Once a playbook for a technique is developed,” he continued, “it usually results in a quick win for them across multiple companies.”
David Vincent, vice president of product strategies at Appsian Security, an ERP security application provider in Dallas, explained that more and more organizations are moving their critical business systems into the cloud for obvious advantages.
“As long as these business systems contain valuable targets such as data and personally identifiable information or enable financial transactions, like payments, that criminals want access to, these cloud solutions will continue to be targeted by malicious actors,” he told the E-Commerce Times.
With 60% of corporate data stored in the cloud, CSPs have become a target for hackers, Passeri added.
“Besides,” he continued, “a compromised cloud account can provide the attackers multiple tools to make their attacks more evasive.” For example, they can provide a platform to host malicious content, such as AWS, OneDrive or Google Drive. They can also provide an embedded email service, such as Exchange or Gmail, to deliver malicious content that evades web security gateways.
Fishers of Bytes
The report noted that trailing behind AWS in the targeted department were five services each with five exploits: Microsoft OneDrive, Discord, Dropbox, Google Drive, and GitHub.
Other services had a thinner slice of the exploit pie: Pastebin (5.7%); Microsoft 365 and Azure (3.8%); and Adobe Creative Cloud, Blogger, Google Docs, Google Firebase, Google Forms, MediaFire, and Microsoft Teams (1.9%).
A majority of the exploits (64.8%), the report found, were aimed at delivering a malware strain or a phishing page.
Other exploits used the CSPs to set up a command and control infrastructure for malignant activities elsewhere (18.5%) and for stealing data or launching other attacks (16.7%).
“Successful hackers are like fishermen, they have different lures in the tackle box to attack a victim’s weakness, and they often must change the lure or use multiple lures because the victims become informed and won’t bite,” Vincent explained.
Exploiting CSP Infrastructure
Passeri explained that malware delivered to CSPs is not designed to compromise their systems but to use their infrastructure since it is considered trusted by the victims and organizations that use it.
In addition, he continued, the CSPs offer a flexible platform that is resilient and simplifies hosting. For example, there is no need to allocate an IP space and register a domain.
Advantages to hackers using a CSP’s infrastructure cited by Passeri include:
- It is considered trusted by the victim because they see a legitimate domain and in the case of a phishing page, a webpage hosted on a cloud service with a legitimate certificate.
- In some cases it is considered trusted by organizations because too many of them consider the CSP infrastructure trusted, so they end up whitelisting the corresponding traffic, meaning that the security controls normally enforced on the traditional web traffic are not applied.
- It is resilient because if the malicious content is taken down, the attackers can spin up a new instance instantaneously.
- Traditional web security technologies are blind to the context, that is, they do not recognize if, for example, a connection to AWS is heading to a legitimate corporate instance, or to a rogue instance controlled by the attackers.
One form of malware distributed through CSPs is information-stealing software. “Info-stealers are a quick win for hackers, as they are able to capture all the sensitive data from a compromised computer in a matter of seconds while leaving almost no traces behind,” Gal said.
“They can then use data like corporate credentials and cookies that were captured by the stealer to cause significant data breaches and ransomware attacks,” he added.
While hackers are willing to use CSP infrastructure for nefarious ends, they’re less inclined to attack that infrastructure itself. “Most exploits from CSPs are a result of misconfigured public internet-facing resources, like AWS S3 buckets,” explained Carmit Yadin, CEO and founder of DeviceTotal, a risk management company in Tel Aviv, Israel.
“Malicious actors target these misconfigurations rather than looking for a vulnerability in the CSP’s infrastructure,” he told the E-Commerce Times. “CSPs often maintain a more secure infrastructure than their customers can manage alone.”