Looking back on the year 2022, it can be seen that cloud environments also increasingly became the focus of cyber attackers. Although the basic techniques and methods of the attackers have not changed significantly, an increase in attacks using so-called long-chain attacks has been observed. These attacks combine traditional techniques such as social engineering with cloud misconfigurations and over-privileged identities, leading to momentous breaches for businesses.
Over-privileged access permissions
The past year began with the release of an attack by the LAPSUS$ group, who used stolen credentials and leveraged multi-factor authentication to penetrate several well-known organisations. Once the attackers found a gateway into an organisation, they continued their campaign by moving laterally within the IT infrastructure via admin credentials, eventually gaining highly privileged credentials for cloud and on-premise resources. With these credentials, they were able to compromise various cloud workloads and gain access to sensitive data. From this, it is clear that organisations continue to fail to identify potential attack radii for both human and non-human identities, which can lead to prolonged root cause analysis and greater impact in the form of data loss.
Damage from insiders
In addition to sophisticated attacks, insider threats also remained a major concern for businesses. This is where access paths to sensitive data are exploited and inadvertently made available to public cloud environments. An important approach to reducing the risk of insider threats is to identify indirect access paths to sensitive data and put a stop to them. An example of this is a user who has access to an EC2 instance, which in turn provides access to an S3 bucket and thus has a transitive relationship to the data.
Obsolete and unused objects
Resource misuse, particularly through obsolete or unused objects, has led to several major security breaches in the past year. The cloud is used by businesses because of the productivity benefits, as large amounts of data can be moved easily. However, accidentally shared database or disk snapshots give attackers unwanted access to these resources and thus access to sensitive data. Unused IAM objects such as access roles, service principals and API access keys remain the means of choice for attackers to penetrate an organisation.
Application security as a risk
In addition, poor application security by design remains a major problem for the cloud. Poorly coded web applications continue to provide attackers with an entry point into foreign cloud environments. Once exploited, attackers can use the OWASP top 10 attack vectors such as SSRF / CSRF to gain access to cloud metadata services and then move through poorly configured IAM roles. Organisations consistently fail to secure cloud metadata services such as the Instance Metadata Service (IMDS) in AWS, increasing the risk of attack.
Data leaks in S3 buckets
Another major problem in the past year remained leaks in buckets or blobs. Here, entire petabytes of data are exposed through incorrectly configured cloud storage. Highly sensitive, unencrypted data stored in the public cloud poses a great risk of data loss. Companies are often unable to distinguish a legitimate public data release from an accidental one. The result is countless data breaches and even in 2022, this problem had not been fixed. Noisy tools and a lack of processes for responding to security incidents in the cloud contributed to such incidents turning out to be more serious for companies than they needed to be.
Loss of source code
This trend started back in 2020 with Solarwinds and there was no sign of it abating last year. Malware actors are targeting the intellectual property of organisations by targeting source code repositories. In doing so, they put themselves in a position to launch further attacks on the supply chain. The threat of losing embedded API keys will be further increased by public code repositories such as Github. How companies can respond to this is outlined by Zscaler in one of their recent blogs.
Conclusion: CNAPP as a solution approach
However, it is not only the trends described here that are evolving. There is also a growing awareness among developers of how misconfigurations and vulnerabilities can be mitigated through the use of CNAPP tools, raising hopes of at least keeping these types of attacks at bay. Such solutions rely on multi-vector telemetry to detect misconfigurations, privacy gaps and identities, providing remediation and increased resilience against attacks on cloud environments in 2023.
Arnab Roy, Cloud Security Architect at Zscaler