One cloud-focused cybersecurity firm reviews 2021 cloud-based cyber incidents to quell any complacency in the de facto security of the Cloud.

Cloud adoption continues to be an essential part of the modern enterprise, particularly as remote and hybrid working look to be the new normal; and while it has brought about greater agility, scalability and cost effectiveness, it has also led to a shift in focus for threat actors and exposed new vulnerabilities. 

On this premise, one cybersecurity firm has released a cloud security threat report summarizing its experts’ research into:

  • Cloud vulnerability exploitation
    (RCE vulnerabilities in server software, Accellion FTA vulnerabilities, CVE-2021-21971)
  • Credential theft
    (Office 365, Okta, online webmail accounts, the COSMIC WOLF attack on AWS)
  • Cloud service provider abuse
    (Incidents with managed service providers, COZY BEAR TTPs in 2020/2021)
  • Malware hosting and C&C
    (Leveraging of legitimate cloud services to deliver malware and to establish command & control; evasion of signature-based detections; switching or removing of payloads from an affiliated C2 URL with ease)
  • Exploitation of misconfigured image containers
    (Attacks on improperly configured Docker containers; incidents involving the Doki malware family; the access and modification of constituent parts of Kubernetes clusters where misconfigurations could provide an adversary with initial access to one component and subsequent lateral propagation opportunities that provide access to desired resources.)

In addition, the report goes in-depth into two Russian based threat actors and dissects their attack methodologies:

  1. FANCY BEAR: Associated with the 85th Main Center of the Special Services (aka Military Unit 26165) of Russia’s Main Intelligence Directorate (GRU) and now shifting toward increased use of credential-harvesting tactics including both large-scale scanning techniques and victim-tailored phishing websites.
  • COZY BEAR: The group demonstrates a high level of post-exploitation proficiency, particularly involving the enumeration of, and lateral movement within, cloud environments. Uses authentication cookie theft to bypass MFA restrictions implemented on target networks.

The report by CrowdStrike recommends the adoption of a cloud security posture management solution coupled with runtime protection, real-time visibility of endpoints, and tight control of cloud configuration integrity.