Attackers appear to be in lockstep with enterprise organizations in the march to the cloud — but with an entirely different set of objectives, research shows.
For most organizations, the cloud is about improved flexibility, scalability, and cost-effectiveness. For cybercriminals, it’s an environment abundant with poorly secured enterprise data, applications, and other online assets.
IBM’s X-Force threat intelligence team analyzed the cloud threat landscape for a yearlong period starting in the second quarter of 2020. The team’s research shows attackers have sharply increased their focus on cloud targets as enterprises accelerated their adoption of SaaS, IaaS, and PaaS over the past year.
One of the most troubling signs of increased attacker interest, researchers say, is a thriving black market for stolen credentials used to access enterprise accounts and resources on public cloud platforms. IBM X-Force discovered some 30,000 cloud credentials potentially available for sale on Dark Web forums. More than 70% of credentials advertised for sale offered Remote Desktop Protocol (RDP) access to cloud resources. Prices for these credentials ranged from a few dollars to more than $15,000 per credential.
The factors influencing prices for cloud access credentials include the level of access a credential potentially offers — privileged access credentials were pricier than those offering less privileged access — and the amount of credit associated with an account.
Organizations often fund cloud accounts with a certain number of extra credits to quickly buy additional resources as needed. IBM discovered criminals charge more for credentials to accounts with high credit compared with those with lower credit limits. For example, credentials for an account with $5,000 in available credit tended to have an average black market price of $250, while those with $1,000 in credit tended to be priced much lower. According to IBM, prices for access credentials tended to increase by $1 for every $15 to $30 in account credit.
“Interestingly, many of these ads were accompanied by enticing refund policies to sway buyers’ purchasing power,” says Charles DeBeck, a cyber-threat intelligence analyst at IBM X-Force. “For example, we saw sellers offering 7-to-14-day refunds if buyers weren’t able to access the cloud environment using the purchased compromised accounts.”
IBM’s analysis also confirmed, once again, what several others have reported about many cloud-related risks being self-inflicted: Two-thirds of cloud breaches investigated were caused by poorly configured APIs. Many organizations use APIs to provide Internet access to back-end applications and data but often fail to secure how APIs are accessed or consider that APIs might inadvertently provide access to data that was not intended to be shared.
“Specifically, two out of three breached cloud environments we studied were associated to misconfigured APIs,” DeBeck says.
IBM incident responders also uncovered virtual machines and other cloud resources deployed with default security settings, or with misconfigurations that left them vulnerable to exploits and abuse. In other instances, researchers found that internal services such as RDP were left exposed on the Internet because of improperly enforced network security controls. The X-Force team uncovered password and security policy violations in 100% of the customer environments where they conducted cloud penetration tests during their study.
“These ‘cracks’ are all preventable forms of vulnerability, but many businesses don’t have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premises environments,” DeBeck says.
“This has resulted in a fragmented and more complex security environment that is tough to manage and provides little visibility into cloud environments,” he adds. The X-Force study showed a 150% increase in the number of publicly disclosed vulnerabilities in cloud-deployed applications over the past five years. To make matters worse, a higher percentage of cloud vulnerabilities these days are severe, researchers found.
DeBeck says the growing investment in cloud malware among attackers is particularly interesting.
“We’re seeing a whole host of malware families developing new cloud-focused capabilities,” he notes. “This indicates to me that threat actors realize cloud is where things are going and they’re investing accordingly, and that means that cloud security will continue to be critical.”