New cloud threats as attackers embrace the power of cloud
Safeguarding your critical data is getting harder as threat actors embrace the advantages -- and missteps -- of cloud. Here's what to watch out for in 2018.
When Apple Inc. launched its iCloud service in 2011, cloud threats didn't include the Chinese government. Apple changed its policy in February of this year and conceded to Chinese authorities' demands to store mainland residents' encryption keys in data centers in the People's Republic of China. Housed on local servers, run by state-backed Guizhou-Cloud Big Data Industry Co. Ltd, experts fear the Chinese government could gain access to users' private data. Apple may be one of the wealthiest company's in the world, but even it cannot guarantee data security in the cloud.
Consistent security for all data from third-party partners and cloud providers is what many consider the next evolution of cloud. Even when the risks associated with cloud threats are high, the cost benefits -- in Apple's case, access to a market with the world's largest purchasing power -- outweigh the risks. This matters more and more as use of cloud services grows.
Enterprise spending for public cloud services worldwide is expected to reach $160 billion in 2018, according to International Data Corporation, up 23.2% from 2017. In the U.S., discrete manufacturing, professional services and banking industries are forecast to spend the most this year on public cloud services.
Software as a service continues to have the highest growth as Microsoft, Oracle and SAP migrate their on-premises enterprise customers to subscription services in the cloud. Spending on infrastructure as a service -- AWS, Microsoft Azure and others -- is next, followed by platform as a service (PaaS) offered by Amazon, Microsoft, Salesforce, Google App Engine, Heroku Enterprise and more. Companies are using PaaS -- operating systems and hardware -- for rapid development, testing, deployment and increasingly, data management.
More power in the cloud
Most platforms take advantage of public cloud security features, but large-scale clouds don't always mean large-scale threat protection. What cloud threats should you watch out for in 2018?
Malicious cryptomining is one of the leading types of attacks since September 2017, according to Malwarebytes Labs. With the volatility in the Bitcoin market -- described as the next gold rush -- it's no surprise that hackers who need massive processing power to verify and confirm transactions to blockchain have found their way to cloud servers in an attempt to earn more digital currency.
In February, hackers accessed an Amazon public cloud account, owned by electric carmaker Tesla, using credentials obtained through an unsecured administrative console in Kubernetes open source orchestration software. The Tesla breach had similarities to cryptocurrency mining malware detected in the Amazon and Microsoft public clouds of SIM card manufacturer Gemalto, and multinational insurance provider Aviva, according to RedLock, the cybersecurity startup that disclosed the attacks. But the Tesla hackers used different techniques to cover their tracks. Instead of using a public mining pool -- groups of cooperative miners, largely based in China -- they installed "mining pool" software, hid the IP address of the server behind Cloudflare and configured the software to a nonstandard port, according to security researchers. The attackers also accessed sensitive telemetry data and other nonpublic information Tesla stored in an Amazon Simple Storage Service (S3) bucket. Tesla addressed the security problems when RedLock notified the car company.
There's a lot of money to be made in cryptocurrency, and it is so much easier to attack IoTs with Linux malware.
Mounir Hahadhead of threat research, Juniper Networks
A Los Angeles Times website called The Homicide Report maps murders and homicides -- 633 people were killed in the last 12 months -- in LA County. In February, attackers discovered an unsecured AWS S3 bucket. They embedded the popular cryptojacking malware Coinhive into the website for drive-by mining of visitors' browsers and PCs. Security researcher Troy Mursch discovered the embedded JavaScript, used specifically to mine Monero, an open-source cryptocurrency released in April 2014. Author of the Bad Packets Report blog, Mursch's internet research tracks cryptojacking and internet of things (IoT) botnets.
Linux malware that attacks embedded systems to build botnets -- similar to Rakos -- is going to become more prevalent. "The reason we haven't seen it in the past is because, by trade, the people who are writing malware and doing these intrusions are heavily Windows-based," said Mounir Hahad, head of threat research at Juniper Networks Inc. in Sunnyvale, Calif. "But as it turns out, it seems like there's a lot of money to be made in cryptocurrency, and it is so much easier to attack IoTs with Linux malware." In December, Juniper Threat Labs discovered Linux malware on a popular home brand of DSL routers used to build an IoT botnet for cryptocurrency mining. Juniper notified the manufacturer. Hahad expects to see more IoT botnets used for Bitcoin mining because many IoT embedded systems are Linux-based.
Signing up botnets
Data shows a rise in the number of attackers that consume public cloud services to host command-and-control servers for IoT botnets and ransomware. In January, the Spamhaus Project, a nonprofit based in Geneva, released its 2017 Botnet Threat Report. Researchers at Spamhaus Malware Labs identified more than 9,500 botnet command-and-control servers on 1,122 different networks. Botnet controllers, according to Spamhaus' block listings, increased 32% in 2017, and that data does not include controllers hosted on the dark web, where servers can't be identified. "What stands out in 2017 is the dramatic increase of botnet controllers hosted at cloud providers," the researchers stated. Large botnet operators are cloud threats, deploying botnet controllers in public clouds such as Amazon Web Services and Google Cloud Platform (Compute Engine) using fraudulent signups. "While some of the cloud providers managed to deal with the increase of fraudulent signups, others are obviously still struggling with the problem," researchers said.
Botnets increasingly pose a number of types of cloud threats, powering distributed denial-of-service, ransomware and other crippling attacks. Ransomware remains one of the most lucrative for cybercriminals, who can easily find ransomware kits online; more than 4,000 online sites sell roughly 45,000 ransomware products and services, according to McAfee's February report "The Economic Impact of Cybercrime."
Mounir Hahad
While ransomware is on the radar of most companies and law enforcement, threat researchers like Hahad expect to see an uptick in ransomware as a service. "I think we are going to have to deal with that threat very seriously," he said. "We're getting a lot of relatively low-level, low-skilled cybercriminals taking advantage of other people who want to stay hidden and who have the capabilities to develop some pretty potent malware."
Some of these issues are enterprise problems, but some are not. In the shared-responsibility model for public cloud security, cloud providers secure the physical data centers and protect their network systems against attacks. Companies consuming cloud services are responsible for the rest: configuring and launching cloud instances, managing identity and access controls, updating security controls to match configuration changes, and most importantly, protecting workloads and data.
The architectural flaws in Intel and Advanced Micro Devices chip designs, like the Meltdown and Spectre vulnerabilities disclosed by security researchers in January, fall into the realm of cloud providers, however. The vulnerabilities require updating the CPU's firmware microcode and operating system. (Intel reportedly warned its Chinese technology customers about the critical security flaws before it divulged them to the U.S. government.)
Mounir Hahad
