Image: Rick_Jo, Getty Images/iStockphoto

Companies should now consider cybercriminals as business competitors, according to Lacework’s 2021 Cloud Threat Report Volume 2.

The report authors recommend this shift in thinking for two reasons:

  1. Cybercriminals are working hard to profit directly through ransom and extortion.
  2. They also are aiming to profit indirectly by stealing resources.

The Lacework Lab analyzed telemetry from its customers and other data to identify rising and increasing security threats to cloud deployments. One of the most interesting trends over the past few months, according to the report, is rising demand for access to cloud accounts. This shows up in the sale of admin credentials to cloud accounts from Initial Access Brokers. The analysis also found continued increases in scanning and probing of storage buckets, databases, orchestration systems and interactive logins.

SEE: How the quick shift to the cloud has led to more security risks (TechRepublic)

Lacework Labs tracks threat activity in a methodology based around the MITRE ATT&CK techniques. The report identified these notable attacker tactics, techniques and procedures from the last few months:

  1. User execution: Malicious Image [T1204.003]
  2. Persistence: Implant Internal Image [T1525]
  3. Execution: Deploy Container [T1610]

Lacework analysts also have been tracking TeamTNT throughout this year. Researchers discovered earlier this year that Docker images containing malware from TeamTNT were being hosted in public Docker repositories as a result of malicious account takeovers. Analysts found multiple cases in which the cybercriminals used exposed Docker Hub secrets on GitHub to use for staging the malicious images.

Cloud services probing

The report analyzed traffic from May 1 to July 1, 2021, to identify cloud threats. The analysis showed that SSH, SQL, Docker and Redis were the cloud applications targeted the most frequently over the last three months. Security researchers focused on cloudtrail logs in AWS environments and S3 activity in particular. They found that Tor seemed to be used more frequently for AWS reconnaissance. The majority of activity came from these sources:

  • 60729:”Zwiebelfreunde e.V.”
  • 208294:Markus Koch”
  • 4224:”CALYX-AS”
  • 208323:”Foundation for Applied Privacy”
  • 62744:”QUINTEX”
  • 43350:”NForce Entertainment B.V.”

The top three S3 APIs included GetBucketVersioning, GetBuckAcl and GetBucketLocation.

Lacework analysts recommend taking these steps to secure the cloud environment:

  • Ensure Docker sockets are not publicly exposed and appropriate firewall rules, security groups and other network controls are in place to prevent unauthorized access to network services.
  • Ensure base images are coming from trusted upstream sources and audited appropriately.
  • Implement Key-based SSH authentication.
  • Ensure the access policies set via console on S3 buckets are not being overridden by an automation tool.
  • Conduct frequent audits of S3 policies and automation around S3 bucket creation to ensure data stays private.
  • Enable protected mode in Redis instances to prevent exposure to the internet.