Cybercriminals buy up admin credentials to sharpen attacks on cloud deployments

3 years ago 397

Lacework investigation finds that SSH, SQL, Docker and Redis were the astir communal targets implicit the past 3 months.

Safe unafraid  unreality  computing accusation  exertion   mobile net  web  technology

Image: Rick_Jo, Getty Images/iStockphoto

Companies should present see cybercriminals arsenic concern competitors, according to Lacework's 2021 Cloud Threat Report Volume 2

The study authors urge this displacement successful reasoning for 2 reasons: 

  1. Cybercriminals are moving hard to nett straight done ransom and extortion 
  2. They besides are aiming to nett indirectly by stealing resources

The Lacework Lab analyzed telemetry from its customers and different information to place rising and expanding information threats to unreality deployments. One of the astir absorbing trends implicit the past fewer months, according to the report, is rising request for entree to unreality accounts. This shows up successful the merchantability of admin credentials to unreality accounts from Initial Access Brokers. The investigation besides recovered continued increases successful scanning and probing of retention buckets, databases, orchestration systems and interactive logins.

SEE: How the speedy displacement to the unreality has led to much information risks (TechRepublic)

Lacework Labs tracks menace enactment successful a methodology based astir the MITRE ATT&CK techniques. The study identified these notable attacker tactics, techniques and procedures from the past fewer months:

  1. User execution: Malicious Image [T1204.003]
  2. Persistence: Implant Internal Image [T1525]
  3. Execution: Deploy Container [T1610]

Lacework analysts besides person been tracking TeamTNT passim this year. Researchers discovered earlier this twelvemonth that Docker images containing malware from TeamTNT were being hosted successful nationalist Docker repositories arsenic a effect of malicious relationship takeovers. Analysts recovered aggregate cases successful which the cybercriminals utilized exposed Docker Hub secrets connected GitHub to usage for staging the malicious images.  

Cloud services probing

The study analyzed postulation from May 1 to July 1, 2021, to place unreality threats. The investigation showed that SSH, SQL, Docker and Redis were the unreality applications targeted the astir often implicit the past 3 months. Security researchers focused connected cloudtrail logs successful AWS environments and S3 enactment successful particular. They recovered that Tor seemed to beryllium utilized much often for AWS reconnaissance. The bulk of enactment came from these sources:

  • 60729:"Zwiebelfreunde e.V."
  • 208294:Markus Koch"
  • 4224:"CALYX-AS"
  • 208323:"Foundation for Applied Privacy"
  • 62744:"QUINTEX"
  • 43350:"NForce Entertainment B.V."

The apical 3 S3 APIs included GetBucketVersioning, GetBuckAcl and GetBucketLocation.

Lacework analysts urge taking these steps to unafraid the unreality environment:

  • Ensure Docker sockets are not publically exposed and due firewall rules, information groups and different web controls are successful spot to forestall unauthorized entree to web services.
  • Ensure basal images are coming from trusted upstream sources and audited appropriately.
  • Implement Key-based SSH authentication.
  • Ensure the entree policies acceptable via console connected S3 buckets are not being overridden by an automation tool. 
  • Conduct predominant audits of S3 policies and automation astir S3 bucket instauration to guarantee information stays private.
  • Enable protected mode successful Redis instances to forestall vulnerability to the internet.

Cloud and Everything arsenic a Service Newsletter

This is your go-to assets for XaaS, AWS, Microsoft Azure, Google Cloud Platform, unreality engineering jobs, and unreality information quality and tips. Delivered Mondays

Sign up today

Also spot

Read Entire Article