How Threat Actors Are Adapting to the Cloud

June 10, 2020
| |
4 min read

With organizations increasingly moving to cloud environments, cloud security is more critical than ever. Cloud environments often hold large troves of valuable and sensitive data that can put organizations and their customers at risk if they are breached. At the same time, many organizations are still discovering best practices surrounding cloud security and incident response.

IBM X-Force Incident Response and Intelligence Services (IRIS) has responded to many cloud security events. To help customers and the security community understand these threats, we dove deep into our internal data to analyze how threat actors are attacking the cloud and identify common pitfalls we observed for organizations responding to cloud-based breaches. Our research into the methods threat actors are using to target data in the cloud is presented in the new special intelligence report, the Cloud Security Landscape Report 2020.

Our research shows that cloud applications are often the infection vector of choice for threat actors. Once inside, the threat actors drop ransomware or other payloads edited to more effectively operate within cloud environments. Using threat intelligence to understand risks to your cloud-based assets and having the right tools to respond to cloud incidents can help organizations prepare for this evolving space.

Cloud Applications Open the Door

Since January 2019, 45 percent of the cloud incidents studied by IBM X-Force IRIS were caused by an initial compromise of a vulnerable cloud-hosted application. Cloud applications require a cloud-specific design and can present vulnerabilities not found in traditional server-based applications. As a result, preventing and detecting cloud application vulnerabilities can be difficult.

Another common method of entry for attackers was misconfigured cloud environments. Cloud misconfiguration has been tied to breaches with over 1 billion records lost or stolen in 2019, according to the IBM X-Force Threat Intelligence Index.

Another concerning technique used by threat actors gaining access to cloud environments is “swimming upstream,” where an actor uses initial access to break into the underlying host, then drops into the management system to move between client environments. Swimming upstream can sometimes mask threat actor activity as legitimate administration, which often needs to move data between instances as well, so distinguishing between the two can be complex.

This technique was on display when the severe Perfect 10.0 vulnerability was disclosed in 2020. That flaw allowed for a threat actor to break hardware-based isolation in a cloud environment, allowing for code interception, program manipulation and impact on other users’ activities hosted on the same hardware. This vulnerability has since been fixed.

Once inside, threat actors were three times more likely to deploy ransomware into the cloud environment compared to any other type of malware. Threat actors realize that cloud environments are critical to business operations and that shutting down an organization’s environments can cause rapid harm on a large scale.

In other cases, threat actors simply steal the troves of data that organizations hold in the cloud. Cloud environments often host sensitive and valuable information, and this data can be stolen by threat actors and exploited or sold on underground marketplaces. From incidents that IBM X-Force IRIS has handled, we’ve seen that the types of data stolen range from credit card numbers to internal emails.

Threat actors have also used cloud environments to host malware like crypto-miners to quickly monetize their illicit access, or, in other cases, to leverage the cloud environment for their own malicious campaigns.

Malware Is Adapting to the Cloud

Threat actors are discovering new ways to make their malware more effective at infecting and abusing cloud environments for their nefarious ends, according to our study of cloud incidents for this report. X-Force has seen malware using cloud environments to quickly scale up operations. For example, during one incident, X-Force discovered a version of DemonBot running in a public cloud environment, which was detected by the affected organization due to a significant increase in billing and resource usage. Cloud-based malware can have a real cost for organizations.

Further, increased targeting of Linux-based file storage systems in cloud environments, such as the QNAPCrypt ransomware, has shown that threat actors are developing and enhancing malware used in the cloud.

After compromising a cloud environment, some threat actors have started using this access as their own operational infrastructure. In this way, a company’s cloud may be hosting malware that gets deployed to another organization, potentially doubling the harm and risk.

Avoiding Missteps Saves Time and Money

Based on X-Force IRIS’s extensive incident response experience, we’ve learned some key ways to better prepare for a possible cloud-related incident. Be sure to take the following steps when executing your cloud security strategy:

  • Use Proactive Simulation — Using a tabletop exercise or cyber range experience can allow an organization to practice their playbook completely and identify potential gaps in their environment.
  • Have the Right Tools — During incident response, sometimes tools won’t work as effectively in a cloud environment as they do on endpoints. Having tools specifically designed for investigation and action within cloud environments helps enable organizations to defend their cloud-based assets.
  • Redeploy, Don’t Reimage — When an incident is detected, the first instinct is often to simply reimage the cloud-hosted machine, but doing so loses valuable forensic artifacts. Instead, redeploy so that incident responders can perform a thorough forensic investigation to help fully stop an attacker’s activities.
  • Search Out Policy Deadspots — Cloud security is a joint venture between the hosting provider and the consumer, and understanding which party is responsible for each component helps to prevent any gaps in the armor.
  • Use Threat Intelligence — By understanding how threat actors are trying to break into cloud environments and what they do once they’re inside, organizations can better detect and defend against malicious attacks efficiently.

About the Report

The IBM X-Force Cloud Security Landscape Report leverages IBM’s deep cloud knowledge and years of experience to gather intelligence from cloud incidents we responded to over the past year. Read the report for more key insights into how threat actors are targeting and using the cloud, and to see our recommendations for protecting your organization from these threats and responding to cloud security incidents.

Download the IBM X-Force Cloud Security Landscape Report
Charles DeBeck
Senior Cyber Threat Intelligence Analyst - IBM

Charles DeBeck is a senior cyber threat intelligence strategic analyst with IBM X-Force Incident Response and Intelligence Services (IRIS). Charles brings 7 ...
read more