Attackers target the cloud. We just don't care to notice - interview

With companies increasingly moving to the cloud, securing assets is as important as ever. There's no lack of dangers. It's just that we focus on breaches and not what happens after too much.

With extortion campaigns dominating the cyber security landscape in recent months, it's easy to forget that threat actors target other assets too.

As much as 79% of companies have experienced cloud data breaches in the last 18 months, with 43% suffering from ten cloud-based intrusion attempts. With over 90% of organizations housing at least part of their digital assets in the cloud, that's a big problem.

Even grands like Azure can succumb to critical vulnerabilities. Recently, researchers at Palo Alto found that the Azure containers used code that had not been updated to patch a known vulnerability, allowing the researchers to get complete control of other users' data.

"The part that gets often overlooked is how a threat actor navigates from an initial access point to the prize, such as a database with credit card information. How did that happen?"

-Menachem Shafran

It doesn't help that the rapid transition to the cloud left many security holes open for exploitation. According to Menachem Shafran, a cybersecurity expert and VP Product at XM Cyber, a cloud and physical network security company, attackers often may target the cloud. Still, the focus is often on how the attackers gained initial access.

"Breaching is not the problem you want to focus on. How are attackers moving once they're in? And this is something that I feel we as an industry need to focus and talk more about," Shafran told CyberNews.

We fired up a call to discuss how rapid cloud adoption affects security assets, why attackers quickly gain access to critical data, and why we don't hear about cloud-based attacks more often.

A recent couple of years saw an unprecedented pace of cloud adoption. Some, however, claim that companies did so by cutting corners on security. Did you notice the same trend?

The pandemic contributed to that a lot. Executives thought they were shifting to working from home anyway, so why not transition to the cloud, as well. We noticed that businesses cut corners by doing 'lift and shift.' I had a conversation with a security team of a large British company on their GCP (Google Cloud Platform ) environment.

They explained that they were using an old GCP organization, and everybody was doing whatever they wanted, basically just doing lift and shift. And we realized that this created a lot of security risk because you just move that machine, and you don't know exactly what it's doing. It has a lot of vulnerabilities that you need to start on patching and worrying about. Since you only want it to work fast, you'd give it a lot of permissions.

Menachem Shafran
Menachem Shafran. An excerpt from a YouTube video.

The reality of operation dictates to do everything to make the environment work, and problems will be solved later. The thing is, nobody does that afterward since it's already in a working condition. So, we opened a new GCP organization. And in there, there is no 'lift and shift.' To move something to GCP, you need to make sure that it's using the cloud capabilities, and that's potentially reducing a lot of risks.

Companies move data to the cloud for systems to work faster. And by trying to achieve that speed, they are cutting corners by giving excessive permissions, which is very easy. But that prevents companies from utilizing the capabilities of the cloud.

Modern cloud architecture is almost synonymous with Kubernetes. Kubernetes, however, was developed as an open-source project. Do you think that can have any ramifications for cloud security?

I remember the days of having security by obscurity. Now, however, exposing code is seen as an advantage. And although there are risks, as someone can insert a vulnerability. There is, however, a review process, even for open-source, and a lot more security researchers are looking at it.

It's true, however, that we have found cases where attackers added malicious code to an open-source product. But I don't think that the chances of discovering a vulnerability in something that you developed on your own are higher than for something open-source. Obviously, there is fear because everyone can edit it, but in reality, everyone can also audit it, and the more people are using it, the more people are testing it.

"What we hear is that the cause was a phishing attack or something else. Cloud is more prominent in breaches than we hear from the media."

-Menachem Shafran

That being said, you need to pay attention. Companies need to monitor for updates continuously, and there are solutions in the market that really help with that, even though many companies don't do that.

With that in mind, using containers is really beneficial since people no longer need to patch something on a server. There are a lot of processes that you can just update and make sure that your services are still working.

With more companies moving to the cloud, the platform will become more and more interesting to malicious actors. Have you noticed anything change regarding cloud security recently?

Companies are moving fast to the cloud, and we see shorter attack paths, for example. It is easier for an attacker to get from the initial foothold to the critical assets. I feel that the industry is not really talking a lot about it. When you hear about a breach, you usually hear how the initial foothold was gained, like a phishing attack, for example.

The part that gets often overlooked is how a threat actor navigates from an initial access point to the prize, such as a database with credit card information. How did that happen? I mean, it's as important to prevent an attack as it is to limit how attackers can move around once they're in.

Cloud Companies
Image by Shutterstock.

In my mind, it's closely related to ransomware-as-a-service (RaaS). Now, what's RaaS? A gang says: “we're very good at moving towards the critical assets, finding them, equipping them, and extorting money. Do you want to work with us? Give us the initial access, send a phishing email, find an open port, do whatever you want, just give us the initial access.” They don't want to waste time on the initial foothold.

A couple of years ago, Gartner published this report saying that you will get a hit if you send 35 phishing emails to an organization. Breaching is not the problem you want to focus on. How are attackers moving once they're in? And this is something that I feel we as an industry need to focus on and talk more about. We see attackers moving things fast, resulting in a shorter attack path from the initial breach point to the critical assets.

Why is that? Why does the attack path get shorter?

We've seen a lot of cloud adaptation recently. We talked about people doing lift and shift, giving all the permissions to make things work. And when that's happening, especially when we're talking in the cloud, usually that means you are allowed to access everything.

If I bring in analogy to on-prem, you gain an initial foothold with the phishing attack, and there is domain admin cached in all the machines. So, an attacker gets the domain admin access and basically game over. They can connect to whatever they want, pretty much. That results in a very short attack.

In the cloud, people are giving very wide-open permissions, which leads to the fact that you don't need to do a lot of hops. You only need to find an access point, and that results in a lot shorter attack.

The last couple of years have been quite extraordinary in cyber security. Extortion attacks, for example, are on the rise with no end in sight. Why do you think we don't hear about major attacks on cloud assets?

I think it's because people talk more about the initial foothold. Another thing is that in many cases, attackers are gaining access to the on-prem environment. And in there, they're finding the way to pivot to the cloud. It's not necessarily that the cloud is open, but attackers are going to the on-prem and finding ways to get to the cloud.

Take the SolarWinds breach, for example. As Microsoft report shows, first, the attackers got access to the organization’s on-prem data centers. And then, they managed to gain access to Office 365 and their Azure environment. So you see, attackers are coming to the on-prem, and they're actually looking for how to get to those servers that are, in many cases, migrated over into the cloud.

In their data breach report, Verizon mentioned that in many cases, no one is actually reporting whether a breach involved the cloud or not, but from what they understand, it did.

I think that's because we're not really talking about the journey that an attacker has made to the prize. What we hear is that the cause was a phishing attack or something else. Cloud is more prominent in breaches than we hear from the media.

More from CyberNews

Should former spies work on privacy products?

The reason why support scams have proliferated: they work

Good luck, everyone - REvil hacker after group's Tor site gets taken over

Trusting the cloud after OMIGOD and Azurescape - interview

Silence can cause millions in downtime costs

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked