Lacework evaluation finds that SSH, SQL, Docker and Redis have been the commonest targets over the past three months.
Corporations ought to now contemplate cybercriminals as enterprise rivals, in response to Lacework’s 2021 Cloud Menace Report Quantity 2.
The report authors suggest this shift in pondering for 2 causes:
- Cybercriminals are working exhausting to revenue straight by means of ransom and extortion
- In addition they are aiming to revenue not directly by stealing sources
The Lacework Lab analyzed telemetry from its prospects and different knowledge to establish rising and rising safety threats to cloud deployments. Some of the attention-grabbing traits over the previous few months, in response to the report, is rising demand for entry to cloud accounts. This exhibits up within the sale of admin credentials to cloud accounts from Preliminary Entry Brokers. The evaluation additionally discovered continued will increase in scanning and probing of storage buckets, databases, orchestration techniques and interactive logins.
SEE: How the fast shift to the cloud has led to extra safety dangers (TechRepublic)
Lacework Labs tracks risk exercise in a strategy primarily based across the MITRE ATT&CK methods. The report recognized these notable attacker ways, methods and procedures from the previous couple of months:
- Consumer execution: Malicious Picture [T1204.003]
- Persistence: Implant Inside Picture [T1525]
- Execution: Deploy Container [T1610]
Lacework analysts even have been monitoring TeamTNT all through this yr. Researchers found earlier this yr that Docker pictures containing malware from TeamTNT have been being hosted in public Docker repositories on account of malicious account takeovers. Analysts discovered a number of instances wherein the cybercriminals used uncovered Docker Hub secrets and techniques on GitHub to make use of for staging the malicious pictures.
Cloud providers probing
The report analyzed visitors from Could 1 to July 1, 2021, to establish cloud threats. The evaluation confirmed that SSH, SQL, Docker and Redis have been the cloud purposes focused probably the most ceaselessly over the past three months. Safety researchers centered on cloudtrail logs in AWS environments and S3 exercise specifically. They discovered that Tor appeared for use extra ceaselessly for AWS reconnaissance. The vast majority of exercise got here from these sources:
- 60729:”Zwiebelfreunde e.V.”
- 208294:Markus Koch”
- 4224:”CALYX-AS”
- 208323:”Basis for Utilized Privateness”
- 62744:”QUINTEX”
- 43350:”NForce Leisure B.V.”
The highest three S3 APIs included GetBucketVersioning, GetBuckAcl and GetBucketLocation.
Lacework analysts suggest taking these steps to safe the cloud surroundings:
- Guarantee Docker sockets will not be publicly uncovered and acceptable firewall guidelines, safety teams and different community controls are in place to forestall unauthorized entry to community providers.
- Guarantee base pictures are coming from trusted upstream sources and audited appropriately.
- Implement Key-based SSH authentication.
- Make sure the entry insurance policies set through console on S3 buckets will not be being overridden by an automation device.
- Conduct frequent audits of S3 insurance policies and automation round S3 bucket creation to make sure knowledge stays personal.
- Allow protected mode in Redis cases to forestall publicity to the web.