Xbash illustrates how opportunity still knocks for threat actors in the cloud

News by Davey Winder

A trio of newly published reports paint a less than flattering portrait of the cloud-based data threatscape. Why does the enterprise still have cause for concern when it comes to cloud security in 2019?

Research published today by Ping Identity looking at the state of enterprise IT infrastructure and security cites security as remaining the number one barrier to cloud adoption and reveals more than a quarter of respondents' organisations had experienced a cloud-based breach of data.

On its own this doesn't bode well for the cloud in 2019 as we surely should have got the security basics sorted by now? Throw in the threat intelligence briefing published yesterday by Armor and the scale of the problem becomes immediately apparent.

During 2018 there were in excess of 681 million attacks launched against the 1,200 enterprise cloud customers that Armor protects. Its Threat Resistance Unit (TRU) security researchers analysed the data and determined that the majority – by a wide margin – of the exploit attempts were opportunistic by nature rather than targeted ones.

The most frequent attack types were against known vulnerabilities in software, brute force and credential stuffing, web application attacks and those involving Internet of Things devices. "Brute force and web application attacks are certainly not the most sophisticated nor the most lethal," said Corey Milligan, senior security researcher at Armor's TRU. "However, they are still commonly seen because they are good old standbys that continue to work and are easy to get their hands on."

You can also probably file ransomware under the 'good old standby category of exploit by now, which brings us nicely to the third report that was published this morning by Securonix. This reveals how attackers have been launching ransomware attacks against cloud infrastructures using the Xbash malware.

Active since May 2018, the Xbash botnet has now been seen brute-forcing weak passwords as well as exploiting a number of known vulnerabilities in Hadoop YARN Resource Manager, Redis and ActiveMQ. Once successfully installed, Xbash deletes existing databases and creates one with a ransom demand instead.

SC Media UK asked around to get a feel of how the broader industry sees the threatscape shaping up in the world of cloud data security.

"The decision of whether to exploit a misconfiguration or whether to deploy a cyber-weapon that targets a known vulnerability is somewhat irrelevant to attackers," said David Warburton, senior threat evangelist (EMEA) at F5 Networks. "Misconfigurations are certainly easier to take advantage of, but the speed at which published vulnerabilities are weaponised means that hackers have a wide range of tools at their disposal."

Then there's the IoT threat surface which continues to grow, along with cloud-based brute force cracking services. "These render some encryption, assumed safe, to be ridiculously insecure," according to Kevin Curran, senior IEEE member and professor of cyber-security at Ulster University.

He told SC: "The power of the cloud to organised crime will usher in a new era of cyber-crime: what you have here is the cloud attacking the cloud."

Meanwhile, Alex Hinchliffe, threat intelligence analyst from Unit 42 at Palo Alto Networks, points to research the group did last year that found "29 percent of organisations had potential account compromises, made even more severe given that 27 percent of organisations also allowed root user activities".

Compromise a root cloud account and it’s game over, Hinchcliffe said. "While you cannot discount the brute-force or IoT route, credential compromises are becoming more commonplace in the public cloud..."

So, what should enterprises be doing by way of best practice to mitigate the risk of 'cloud data attacks', be they of the ransomware variety or opportunistic attempts to steal data from storage containers?

"Creating and enforcing policies on deployments and configurations is a fundamental basic in cloud computing," Matt Middleton-Leal, general manager (EMEA) at Netwrix, said. "To prevent crucial human errors, enterprises should both improve their internal workflows and assess their cloud provider’s security credentials."

Jesper Frederiksen, Okta’s VP and general manager, said that "to better protect against these attacks, both technology leaders and developers need to invest in API security. Additionally, integrating and identifying contextual factors such as IP addresses, geo-location, and device identification can increase security and reduce credential-based attacks."

Let's leave the final word to Marina Kidron, group leader at Skybox Research Lab, who advised: "Because there is currently no cloud–focused international protocol, it’s important for enterprises to stay alert, thoroughly examine the security protocols of their cloud service provider, gain visibility of their entire environment and to ensure that both parties uphold their end of the bargain in the shared responsibility model."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews