Cybercriminals buy up admin credentials to sharpen attacks on cloud deployments

Lacework evaluation finds that SSH, SQL, Docker and Redis have been the commonest targets over the past three months.

Safe secure cloud computing information technology mobile internet network technology

Picture: Rick_Jo, Getty Pictures/iStockphoto

Corporations ought to now contemplate cybercriminals as enterprise rivals, in response to Lacework’s 2021 Cloud Menace Report Quantity 2. 

The report authors suggest this shift in pondering for 2 causes: 

  1. Cybercriminals are working exhausting to revenue immediately by way of ransom and extortion 
  2. In addition they are aiming to revenue not directly by stealing assets

The Lacework Lab analyzed telemetry from its prospects and different information to establish rising and rising safety threats to cloud deployments. Probably the most attention-grabbing tendencies over the previous few months, in response to the report, is rising demand for entry to cloud accounts. This reveals up within the sale of admin credentials to cloud accounts from Preliminary Entry Brokers. The evaluation additionally discovered continued will increase in scanning and probing of storage buckets, databases, orchestration methods and interactive logins.

SEE: How the fast shift to the cloud has led to extra safety dangers (TechRepublic)

Lacework Labs tracks risk exercise in a technique primarily based across the MITRE ATT&CK strategies. The report recognized these notable attacker techniques, strategies and procedures from the previous few months:

  1. Consumer execution: Malicious Picture [T1204.003]
  2. Persistence: Implant Inner Picture [T1525]
  3. Execution: Deploy Container [T1610]

Lacework analysts even have been monitoring TeamTNT all through this 12 months. Researchers found earlier this 12 months that Docker photos containing malware from TeamTNT have been being hosted in public Docker repositories because of malicious account takeovers. Analysts discovered a number of instances by which the cybercriminals used uncovered Docker Hub secrets and techniques on GitHub to make use of for staging the malicious photos.  

Cloud providers probing

The report analyzed visitors from Might 1 to July 1, 2021, to establish cloud threats. The evaluation confirmed that SSH, SQL, Docker and Redis have been the cloud functions focused probably the most incessantly over the past three months. Safety researchers targeted on cloudtrail logs in AWS environments and S3 exercise particularly. They discovered that Tor appeared for use extra incessantly for AWS reconnaissance. The vast majority of exercise got here from these sources:

  • 60729:”Zwiebelfreunde e.V.”
  • 208294:Markus Koch”
  • 4224:”CALYX-AS”
  • 208323:”Basis for Utilized Privateness”
  • 62744:”QUINTEX”
  • 43350:”NForce Leisure B.V.”

The highest three S3 APIs included GetBucketVersioning, GetBuckAcl and GetBucketLocation.

Lacework analysts suggest taking these steps to safe the cloud surroundings:

  • Guarantee Docker sockets should not publicly uncovered and acceptable firewall guidelines, safety teams and different community controls are in place to stop unauthorized entry to community providers.
  • Guarantee base photos are coming from trusted upstream sources and audited appropriately.
  • Implement Key-based SSH authentication.
  • Make sure the entry insurance policies set by way of console on S3 buckets should not being overridden by an automation software. 
  • Conduct frequent audits of S3 insurance policies and automation round S3 bucket creation to make sure information stays non-public.
  • Allow protected mode in Redis cases to stop publicity to the web.

Additionally see

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox