CIO Influence
CIO Influence News Cloud Security

Lacework Quarterly Cloud Threat Report Shows the Automated Techniques Cybercriminals are Using to Attack Businesses in the Cloud

Lacework Quarterly Cloud Threat Report Shows the Automated Techniques Cybercriminals are Using to Attack Businesses in the Cloud
Enterprising criminals are selling direct access to cloud accounts

Lacework, the data-driven security platform for the cloud, released its quarterly cloud threat report, unveiling the new techniques and avenues cybercriminals are infiltrating to profit from businesses.

The rapid shift of applications and infrastructure to the cloud creates gaps in the security posture of organizations everywhere. This has increased the opportunities for cybercriminals to steal data, take advantage of an organization’s assets, and to gain illicit network access.

“It’s in enterprises’ best interest to start thinking of cybercriminals as business competitors,” said James Condon, Director of Research at Lacework. “Last year alone, cybercrime and ransomware attacks cost companies $4 billion in damages. As more companies shift to cloud environments, we’re seeing an increase in demand for stolen access to cloud accounts and evolving techniques from cybercriminals, making enterprises even more vulnerable to cloud threats.”

Recommended ITech News: Local Security Partners With RapidSOS to Send Multimedia Incident Data to 911

New research from Lacework Labs, the dedicated research team at Lacework that focuses on new threats and attack surface risks within the public cloud, sheds light on the crimeware and growing ransomware landscape in the face of new threat models and emerging cybersecurity challenges. Based on anonymized data across the Lacework platform from May 2021 – July 2021, key findings of the report include:

  • Initial Access Brokers (IABs) Expand to Cloud Accounts
    • As corporate infrastructure continues to expand to the cloud, so do opportunistic adversaries as they look to capitalize on the opportunity. Illicit access into cloud infrastructure of companies with valuable data/resources or wide-reaching access into other organizations offers attackers an incredible return on investment. In particular, Lacework Labs found Amazon AWS, Google Cloud, and Azure administrative accounts are gaining popularity in underground marketplaces.
  • Threat Actor Campaigns Continue to Evolve: Lacework Labs has observed a variety of malicious activity originating from known adversary groups and malware families. This section showcases those who continue evolving their operators as a valuable return on investment:
    • 8220 Gang Botnet and Custom Miner: Lacework Labs recently found a new cluster of activity linked to an 8220 Gang adversary group campaign of infecting hosts, primarily through common cloud services, with a custom miner and IRC bot for further attacks and remote control. This cluster shows operations are evolving on many levels, including efforts of hiding botnet scale and mining profits.This is indicative of attacks growing in size.
    • TeamTNT Docker Image Compromise: The Lacework Labs team discovered threat actor TeamTNT backdooring legitimate Docker Images in a supply chain-like attack. Networks running the trusted image were unknowingly infected.
      • Developer teams need to be certain they know what’s in the image they pull. They need to validate the source or they could open a door to their environment.

Recommended ITech News: Cradlepoint Expands AT&T 5G for Enterprise Solutions with Certification of W4005 Wideband Adapter for Ultra-High-Speed Connectivity

  • Popular cloud relevant crimeware and actors:
    • Cpuminer, the open-source multi-algorithm miner, has been legitimately used for years. However, Lacework Labs observed an increase in its illicit use for cryptomining altcoins.
      • Monero and XMRig are the most common accounts for cryptomining against cloud resources, hence activity involving lesser-seen coins and tools may be more likely to go undetected.
  • Cloud services probing:                                                             
    • Lacework Labs captures a range of telemetry in both product deployments and custom honeypots, which allows the company to see trends relevant to cloud defense purposes. For these sources, many cloud-relevant applications are continually targeted, but Lacework found that AWS S3, SSH, Docker, SQL and Redis were by far the most targeted.

Based on the findings of this report, Lacework Labs recommends that defenders:

  • Ensure Docker sockets are not publicly exposed and appropriate firewall rules/ security groups and other network controls are in place. This will help to prevent unauthorized access to network services running in an organization.
  • Ensure the access policies you set via the console on S3 buckets are not being overridden by an automation tool. Frequent auditing of S3 policies and automation around S3 bucket creation can ensure data stays private.

Recommended ITech News: New Ericsson Street Solutions Equip Busy Urban Locations With Low-visibility, High-performance 5G Radios

Related posts

Buried in Alerts: Three Reasons Legacy Threat Detection and Response Tools are Failing SOC Teams

Mark Wojtasiak

EdgeDB Raises $15Million Series A Round to Bring its Modernized Relational Database for Cutting-Edge Apps to the Cloud

CIO Influence News Desk

SmartMetric Adopts A “Green” Rechargeable Battery For Its Biometric Self Powered Biometric Credit Cards

Leave a Comment