Cloud Threats 2022 Year in Review

January 20, 2023

Looking back on the year 2022, it can be seen that cloud environments also increasingly became the focus of cyber attackers. Although the basic techniques and methods of the attackers have not changed significantly, an increase in attacks using so-called long-chain attacks has been observed. These attacks combine traditional techniques such as social engineering with cloud misconfigurations and over-privileged identities, leading to momentous breaches for businesses.

Over-privileged access permissions

The past year began with the release of an attack by the LAPSUS$ group, who used stolen credentials and leveraged multi-factor authentication to penetrate several well-known organisations. Once the attackers found a gateway into an organisation, they continued their campaign by moving laterally within the IT infrastructure via admin credentials, eventually gaining highly privileged credentials for cloud and on-premise resources. With these credentials, they were able to compromise various cloud workloads and gain access to sensitive data. From this, it is clear that organisations continue to fail to identify potential attack radii for both human and non-human identities, which can lead to prolonged root cause analysis and greater impact in the form of data loss.

Damage from insiders

In addition to sophisticated attacks, insider threats also remained a major concern for businesses. This is where access paths to sensitive data are exploited and inadvertently made available to public cloud environments. An important approach to reducing the risk of insider threats is to identify indirect access paths to sensitive data and put a stop to them. An example of this is a user who has access to an EC2 instance, which in turn provides access to an S3 bucket and thus has a transitive relationship to the data.

Obsolete and unused objects

Resource misuse, particularly through obsolete or unused objects, has led to several major security breaches in the past year. The cloud is used by businesses because of the productivity benefits, as large amounts of data can be moved easily. However, accidentally shared database or disk snapshots give attackers unwanted access to these resources and thus access to sensitive data. Unused IAM objects such as access roles, service principals and API access keys remain the means of choice for attackers to penetrate an organisation.

Application security as a risk

In addition, poor application security by design remains a major problem for the cloud. Poorly coded web applications continue to provide attackers with an entry point into foreign cloud environments. Once exploited, attackers can use the OWASP top 10 attack vectors such as SSRF / CSRF to gain access to cloud metadata services and then move through poorly configured IAM roles. Organisations consistently fail to secure cloud metadata services such as the Instance Metadata Service (IMDS) in AWS, increasing the risk of attack.

Data leaks in S3 buckets

Another major problem in the past year remained leaks in buckets or blobs. Here, entire petabytes of data are exposed through incorrectly configured cloud storage. Highly sensitive, unencrypted data stored in the public cloud poses a great risk of data loss. Companies are often unable to distinguish a legitimate public data release from an accidental one. The result is countless data breaches and even in 2022, this problem had not been fixed. Noisy tools and a lack of processes for responding to security incidents in the cloud contributed to such incidents turning out to be more serious for companies than they needed to be.

Loss of source code

This trend started back in 2020 with Solarwinds and there was no sign of it abating last year. Malware actors are targeting the intellectual property of organisations by targeting source code repositories. In doing so, they put themselves in a position to launch further attacks on the supply chain. The threat of losing embedded API keys will be further increased by public code repositories such as Github. How companies can respond to this is outlined by Zscaler in one of their recent blogs.

Conclusion: CNAPP as a solution approach

However, it is not only the trends described here that are evolving. There is also a growing awareness among developers of how misconfigurations and vulnerabilities can be mitigated through the use of CNAPP tools, raising hopes of at least keeping these types of attacks at bay. Such solutions rely on multi-vector telemetry to detect misconfigurations, privacy gaps and identities, providing remediation and increased resilience against attacks on cloud environments in 2023.

Arnab Roy, Cloud Security Architect at Zscaler

Related Articles

“E-wallet”: US banks arm themselves against PayPal

“E-wallet”: US banks arm themselves against PayPal

Joint digital payment system also to compete with providers such as Apple Pay: The largest banks in the USA want to jointly establish an electronic wallet to take on competitors such as Apple Pay (https://www.apple.com/at/apple-pay/) and PayPal...

New law for critical infrastructures

New law for critical infrastructures

KÖTTER Security calls for greater consideration of private security service providers Acts of sabotage against railway lines and cyber-attacks on public institutions have recently brought security for critical infrastructures (CRITIS) back into the public focus....

Walking stick 2.0 for the visually impaired finds muesli

Walking stick 2.0 for the visually impaired finds muesli

An intelligent walking stick developed by researchers at the University of Colorado Boulder (https://www.colorado.edu) is designed to make life easier for blind and visually impaired people. It is equipped with a camera and software that can evaluate images. In...