Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
What We Can Learn From Major Cloud Cyberattacks
Analysis of six major cloud incidents shows how some common mistakes can lead to serious consequences.
November 9, 2023
Several notorious cloud hacks between 2020 and 2022 were the result of simple technical errors that could have been thwarted by faster detection and response.
In a study of six major cloud security incidents in 2021-2022, Mohamed Shaaban, solution architect at Sysdig, found that attacks on the cloud are becoming more advanced, particularly in the volume of attacks and in attacker's use of automated tools, meaning defenders need to speed up their detection and response capabilities in order to thwart them.
Shaaban and his colleague Rafik Harabi will present a talk at Black Hat Middle East on "Lessons from 6 Headline-Grabbing Security Breaches" next week.
The researchers found some telling threads among the six incidents. Among them: attackers are building tools that automate the scanning, finding, and exploiting of the target in the attack, and they access systems via leaked credentials and common vulnerabilities.
The researchers selected attacks from different industries to analyze a range of cloud incidents:
PyTorch — In December 2022, an attacker used the PyPI code repository to download a compromised PyTorch dependency that included malicious code designed to steal system data. The attacker pretended to be an ethical hacker testing the system, and was only caught when they tried to obfuscate the malware and exfiltrate sensitive data.
MediBank — In November 2022, attackers gained access to internal systems via compromised login credentials, a tactic that "may have involved VPN access." After the attackers spent a month lurking on systems, they showed the bank what was stolen. However, the bank refused to pay a ransom demand, and the attacker published the data on the Dark Web.
Alibaba - Shanghai Police — In July 2022, a misconfigured Alibaba cloud server was left open on the Internet for over a year without a password, which led to 23TB of data being stolen and offered for sale on the hacker site Breach Forums. This 23TB file included the personal data of one billion Chinese citizens stored in the Shanghai National police database.
ONUS — Attackers exploited a vulnerable version of Log4j in December 2021 on Vietnam's largest crypto trading company. Attackers got away with around two million customer records including full names, E-KYC data, email addresses, phone numbers, encrypted passwords, and transaction histories.
Peloton — In May 2021, researchers determined that an unauthenticated user could view sensitive information for all users, watch live class statistics, and investigate other participants in the class — even if the user's account was set to private mode. The vulnerability meant user IDs, instructor IDs, group membership, location, and workout stats, as well as the gender and age of the user, were visible to an attacker.
Equinix — In September 2020, the data center provider suffered a ransomware attack that impacted some of the company's internal systems. The attackers apparently demanded a $4.5 million ransom from Equinix, claiming they were able to download sensitive data from the company's servers. They threatened to make the data public unless the ransom was paid. A nearly two-month investigation determined that no sensitive information on customer operations or customer information were affected, and data centers were not impacted by the incident.
Lessons Learned
Shaaban says the intention of the research into these attacks was to learn lessons of "what really went bad and what could have been done better." Those takeaways can help organizations reflect on their cloud environments and review the security controls and processes that they have put in place — especially by focusing on what the technical aspects of the incidents were and the long-term impact.
The researchers say the attack and response patterns in these incidents can provide insight into how to better protect and respond to cyber threats in the cloud.
Shaaban says one challenge is that security teams often must decide whether to have a prevention approach, where you harden your defenses, or to focus on detection and response, which requires multiple levels of security tools.
Therefore, he notes, a benchmark for detection and response is required, especially as defenders need to move faster in defense to protect a wider surface area and against attackers who can use automated tools in their attack efforts.
In that vein, Sysdig has proposed the 5/5/5 benchmark, where a company takes five seconds to detect, five minutes to triage, and five minutes to respond to a threat.
"In the cloud, because everything is really quick, we need everything to be fast, and we need the detections, triage, and response to be very fast, and this is why we have proposed the 5/5/5 benchmark," Shaaban says.
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024