Cloud attacks are increasingly targeting service providers. Expert Frank Siemons looks at the different types of attacks from which service providers and enterprises should be protected.
It is no surprise that the rapid growth of cloud adaptation has attracted unwanted attention from potentially harmful parties. A company used to be directly targeted or targeted through a connected partner with federation or a VPN.
Now, another attack vector that provides unprecedented levels of access for any attacker able to pull off an attack is a cloud service provider (CSP). A breach of a CSP could potentially give an attacker access to the managed clients as well, hugely increasing the impact and the value of successful cloud attacks.
PwC and BAE Systems put out a report called "Operation Cloud Hopper" in April 2017 that described the actions undertaken by the APT10 group to achieve such an outcome. Although most of these actions fall into the more traditional attack categories, such as spear phishing -- but combined and on a much larger scale -- it does indicate a shift in the focus of attacks toward CSPs. Some more specific cloud attacks, directly aimed at the managed infrastructure, have been seen over the recent years, as well.
Escaping the sandbox using vulnerabilities
Various vulnerabilities have been published that, until they were patched, allowed an attacker to escape a sandboxed, cloud-hosted system to gain access to the cloud platform itself. One example is the Microsoft Azure zero-day, cross-site scripting (XSS) exploit published by Chris Dale in 2016.
By using an XSS vulnerability in a web server, Dale managed to crash a site and then attack the troubleshooting software-as-a-service administrators via unauthorized JavaScript execution in their browser. This was a relatively easy attack method, and it only covered a single platform, but there are more of these vulnerabilities out there, most of them still unknown to the public.
Adequate system patching, regular penetration testing and real-time security monitoring are the best risk mitigation measures to address these vulnerabilities.
Misconfigurations used for cloud attacks
Security often focuses on interesting vulnerabilities and exploits, but there is usually less focus on common misconfigurations or bad implementations. A misconfiguration, such as a simple or default password, an insecure API or a badly implemented and unpatched hypervisor, can also lead to a security compromise.
An API, for instance, can be used to manage systems, automatically push or pull data between systems and complete many more administrative tasks. If this communication is not secure, or if there is no proper authentication in place, an attacker could manipulate requests, data and even the system itself.
The best method to deal with these misconfigurations is to have proper change control systems in place, to include security experts in the review panel and to have solid, secure configuration standards in place.
Man-in-the-cloud attacks
A man-in-the-cloud attack is a recently discovered attack method that focuses on the manipulation and theft of a user's cloud synchronization token. The victim is usually hit with malware via a malicious website or email, after which the attacker gains access to their local files.
By replacing the cloud synchronization token for one that points to the attacker's cloud account and placing the original token into the selection of files that will be synchronized, the victim is lead to unknowingly upload their original token to the attacker. That token can then be used by the attacker to gain access to the victim's actual cloud data.
From a protection perspective, malware prevention is key to thwarting these cloud attacks.
Distributed denial-of-service attacks
Due to the large bandwidth capacity available to CSPs, the traditional distributed denial-of-service (DDoS) attack methods -- which use many systems at once to overload the target system with data or requests -- are becoming less effective. We have seen, however, that there are many other vectors available to achieve a denial-of-service state on a target system located on a cloud platform.
The 2016 Dyn attack demonstrated that even the cloud platform itself can be brought to its knees. This was a targeted DDoS attack aimed at bringing down the domain name system infrastructure for the web provider Dyn. That attack took down access to large websites and platforms around the world, such as Amazon and Twitter.
From a customer perspective, there is not much that can be done against an attack on the hosting platform itself. It is recommended, however, that you investigate how the traffic of a large DDoS attack could affect the costs of a service. It is also worth exploring the CSP market to look into what protections the various providers have in place to prevent such outages.
Conclusion
Successful cloud attacks on service providers are rare, but their impact can be enormous, both to a provider and to its customers. The risk of these cloud attacks is manageable, though it does require a broad approach that includes having the right security controls in place, monitoring their output in real-time, capacity planning and adequate change control policies.