The Threat of Cloud Service Provider Abuse
For many enterprises, cloud services have become a foundational element of IT operations as they pursue multi-cloud and hybrid cloud approaches in search of greater efficiency and agility.
Threat actors continue to look to the cloud as well — but with the aim to abuse the capabilities of cloud service providers to compromise enterprise environments. While enterprises use cloud-based services to support collaboration and business processes, these same services are increasingly abused by malicious actors for computer network operations (CNO). This trend will likely continue in the foreseeable future as more businesses seek hybrid work environments.
Common Cloud Attack Vectors
Common cloud attack vectors used by eCrime and targeted intrusion adversaries include:
Distributed denial-of-service (DDoS) attacks
A DDoS attack is caused by an attacker overloading a web server, system or network with traffic, making it difficult or impossible for legitimate users to access IT resources. Attackers are known to abuse hijacked cloud accounts or free user trials for DDoS attacks.
Cybercriminals use phishing to steal user credentials for cloud services to take over and use these accounts in their malicious schemes.
Spammers use cloud infrastructure to blast out their messages. These attackers take advantage of cloud computing services by leveraging their reliability and bandwidth to aid in their operations.
In cryptojacking, attackers use a victim’s computing power to mine for cryptocurrency. If an attacker can gain access to an organization’s cloud resources, they can harness those assets and use them for mining operations.
Brute-force attacks are a method of compromising user accounts in which a threat actor uses trial and error to guess a user’s password or login credentials. Common forms include dictionary attacks and credential stuffing.
Hosting of malicious content
Once cloud services have been compromised, they can be used to host malicious content including everything from phishing pages to spam bots. This tactic has the added benefit of making bad content harder to block due to threat actors using trusted brands, allowing them to hide malicious content alongside legitimate content.
Internal threat actors pose a risk, as they can use their access to cloud resources to leverage those assets to launch attacks.
How Cloud Service Provider Abuse Works
CrowdStrike threat researchers monitor the cloud closely for malicious activity, and attackers continue to adopt tactics to improve their stealth and effectiveness. For cybercriminals, avoiding detection is made easier by abusing trusted relationships between users, providers and networks.
Adversaries leverage cloud service providers to abuse provider trust relationships and gain access to additional targets through lateral movement from enterprise authentication assets hosted on cloud infrastructure. If an adversary can elevate their privileges to global administrator levels, they may be able to pivot between related cloud tenants to further their access.
This issue is particularly significant if the initially targeted organization is a managed service provider (MSP). In this case, global administrator access can be used to take over support accounts used by the MSP to make changes to its customer networks, thereby creating multiple opportunities for vertical propagation to many other networks. This technique was used by the threat actor COZY BEAR (a Russia-affiliated threat actor) throughout 2020, with evidence of continued intrusion in MSP networks continuing into 2021.
WHAT YOU CAN DO TO PROTECT YOUR CLOUD ENVIRONMENT
As with on-premises environments, security teams with insight into attackers’ tools and tactics have the best chance to identify and stop threats more quickly. Security teams should keep the following firmly in mind to remain grounded in best practices.
Monitor identities and how they are being used
Protecting cloud environments requires focusing on identity, including securing user accounts with strong passwords and multifactor authentication (MFA) and monitoring them for suspicious activity.
Identify the most critical assets and monitor them looking for outbound communications and exfiltration
Organizations need visibility into cloud environments to stay on the lookout for signs of compromise. Outbound connections should be scrutinized to pinpoint unusual communications.
Educate the security operations center (SOC) on cloud security
Many SOC analysts and incident responders do not have expertise in cloud technologies. Invest in training as it is crucial that the SOC team understands cloud tools and infrastructure.
Develop incident response plans aligned with the shared responsibility model
Organizations should have detailed playbooks outlining both how and who should respond to and remediate threats. Security orchestration, automation and response (SOAR) technologies are critical, enabling enterprises to collect threat-related data and automate response.
Focus cloud threat hunting on indicators of attack (IOAs)
As always, knowledge is power. Enterprises must leverage the latest threat intelligence to keep pace with attackers and improve their ability to detect and respond to the risks they face. CrowdStrike Falcon Cloud Security provides advanced cloud-native security for any cloud, powered by holistic intelligence and end-toend protection from the host to the cloud, delivering greater visibility, compliance and the industry’s fastest threat detection and response to outsmart the adversary.
2023 Cloud Risk Report
Find out which top cloud security threats to watch for in 2023, and learn how best to address them to stay safe through 2024.Download Now