As cyber criminals continue to scramble for unsuspecting ways to infiltrate modern businesses, a new report from IBM Security X-Force highlights key cybercriminal tactics, the open doors users leave them and the burgeoning market for stolen cloud resources in the Dark network.
The big lesson from the data is that companies still determine their own destiny when it comes to cloud security. Misconfigurations in applications, databases and policies could have stopped two-thirds of the corrupted cloud environments observed by IBM in this year’s report.
The X-Force Cloud Security Threat Landscape Report 2021 from IBM has been expanded to include new and more robust data compared to the 2020 report and covers the second quarter of 2020 to the second quarter of 2021. The data sets used include Dark Web Analysis, IBM Security X. -Force Red Penetration Test Data, IBM Security Service Metrics, X-Force Incident Response Analysis, and X-Force Threat Intelligence Research. This expanded dataset provided an unprecedented view of the entire technology inventory to make connections to improve security.
Some highlights are:
* Configure it off – Two out of three cloud environments studied were caused by misconfigured application programming interfaces (APIs). X-Force Incident Responders also observed virtual machines with default security settings that were falsely exposed to the Internet, including misconfigured platforms and insufficiently enforced network controls.
* Rule breakers lead to compromises – X-Force Red found password and policy violations in most of the cloud penetration tests over the past year. The team also observed a significant increase in the severity of vulnerabilities in cloud-deployed applications, while the number of disclosed vulnerabilities in cloud-deployed applications has increased by 150% over the past five years.
* Automatic for Cyber Criminals – With nearly 30,000 compromised cloud accounts for sale at bargain prices on dark web marketplaces and Remote Desktop Protocol accounting for 70% of the cloud resources for sale, cyber criminals have turnkey options to manage their To further automate access to cloud environments.
* All Eyes on Ransomware & Cryptomining – Cryptominer and ransomware remain the malware most frequently stored in cloud environments and, based on the analyzed data, account for over 50% of the detected system compromises.
Modernization is the new firewall
More and more companies are realizing the business value of the hybrid cloud and distributing their data over a diverse infrastructure. In fact, the 2021 Cost of a Data Breach Report showed that companies with security breaches that implement a mostly public or private cloud approach suffered around $ 1 million more in security breach costs than companies with a hybrid cloud approach.
As organizations seek heterogeneous environments to distribute their workloads and better control where their most critical data is stored, modernizing these applications becomes a security checkpoint. The report focuses on security policies that do not encompass the cloud and increase the security risks to which organizations in disconnected environments are exposed.
Some examples are:
* The Perfect Pivot – While businesses struggle to monitor and detect cloud threats, today’s cloud environments are. This has helped threat actors move from on-premise to cloud, making this one of the most widely observed infection vectors for cloud environments – accounting for 23% of the incidents IBM responded to in 2020.
* API Exposure – Another major infection vector identified was misconfigured assets. Two thirds of the incidents investigated involved misconfigured APIs. APIs without authentication controls can allow anyone, including threat actors, to access potentially sensitive information. On the other hand, granting APIs access to too much data can lead to inadvertent disclosures.
Many organizations do not have the same level of trust and expertise in configuring security controls in cloud computing environments that they do on-premise, resulting in a fragmented and more complex security environment that is difficult to manage.
Organizations need to manage their distributed infrastructure as a single environment to eliminate complexity and achieve better network visibility from the cloud to the edge and back.
By modernizing their mission-critical workloads, security teams not only achieve faster data recovery, but also obtain a much more holistic pool of threat insights to their business that can inform and accelerate their response.
Trust attackers to succeed and hold the line
The evidence that the perimeter has been wiped out is accumulating every day, and the results of the report add to this data set.
Because of this, a zero trust approach is becoming increasingly popular and urgent. It eliminates the element of surprise and enables security teams to anticipate a lack of reactivity.
By applying this framework, companies can better protect their hybrid cloud infrastructure so that they can control all access to their environments and monitor cloud activities and the correct configurations. This allows organizations to go on the offensive with their defenses, expose risky behaviors, and enforce controls on privacy regulations and access to the least privilege.
Some evidence inferred from the report includes:
* Powerless Policy – The study suggests that two thirds of the investigated break-ins in cloud environments are likely due to a more robust hardening of the systems, such as B. the proper implementation of security policies and patches would have been prevented.
* Lurking in the shadows – “Shadow IT”, cloud instances or resources that do not run through a company’s official channels indicate that many companies do not meet today’s basic security standards. In fact, X-Force estimates that the use of shadow IT contributed to over 50% of the data exposures examined.
* Password is “admin 1” – The report illustrates the X-Force Red data collected over the past year and shows that the vast majority of the team’s penetration tests in various cloud environments had problems with passwords or compliance.
The reuse of these attack vectors underscores that threat actors repeatedly rely on human error to break into the organization. Businesses and security teams need to compromise to keep the line.
Dark web flea markets selling cloud access
Cloud resources provide cyber actors with a surplus of corporate bases and draw attention to the tens of thousands of cloud accounts for sale on illegal marketplaces.
The report reveals that there are nearly 30,000 compromised cloud accounts showing up on the dark web, with offers for sale ranging from a few dollars to over $ 15,000 (depending on geography, account balance levels, and account access level) and enticing refund policies to increase the purchasing power of buyers influence.
However, this is not the only cloud “tool” for sale in dark web markets. Analysis shows that Remote Desktop Protocol (RDP) accounts for more than 70% of the cloud resources for sale – a remote access method that far surpasses all other vectors marketed.
While illicit marketplaces are the best place to shop for threat actors in need of cloud hacks, what worries us most is a persistent pattern where weak security controls and protocols – avoidable forms of vulnerability – are repeatedly exploited for illegal access.
* Article by Charles DeBeck, Senior Cyber Threat Intelligence Analyst at IBM