Original article from Trend Micro
Security researchers at Trend Micro have analysed the threats and attacks of the first half of 2021. The report Attacks From All Angles: 2021 Midyear Security Roundup highlights many of the active attacks, from APTs and ransomware to zero-day exploits. Our researchers singled out one area where they noticed increased activity: Attacks against cloud infrastructure.
For our Cyber Risk Index for H1 2021, we asked companies what their biggest risks to infrastructure were. Security for the cloud has been one of the two priority issues in recent years. Obviously, many companies are rapidly moving to the cloud and therefore need to think about how to secure it. The following table gives an overview of the current cloud attacks:
Ransomware continued to be the biggest threat in the first half of the year, as cybercriminals continued to target high-profile victims. They worked with third parties to gain access to target networks and used Advanced Persistent Threat tools and techniques to steal and encrypt victims’ data.
Threats to cloud environments
The semi-annual report looks at the APT group called TeamTNT, which has been targeting clouds for some time. They focused primarily on injecting crypto-mining malware into cloud servers to mine Monero currency, but they also used DDoS IRC bots, stole cloud account credentials and exfiltrated data. The diagram above shows that most attacks target these areas.
Speaking of data exfiltration: In the first half of the year, we observed APT actors using cloud-based file storage to exfiltrate their stolen data. For example, Conti actors used the cloud storage synchronisation tool Rclone to upload files to the cloud storage service Mega. Similarly, DarkSide backers used the Mega client to exfiltrate files to cloud storage, 7-Zip for archiving, and the PuTTY application to transfer files across the network. This use of known legitimate tools is not new; we call it “living off the land”, and this tactic has increased recently, including among ransomware actors. Many organisations now need to look for ways to monitor the use of legitimate tools on their networks to detect malicious use.
Furthermore, Trend Micro’s report also reveals the following:
Cloud security architecture
When developing a cloud security architecture and strategy, it is important to always keep in mind the possible intended purpose of attacks. In this case, what are the motivations and goals of an attacker? The picture shows that most cloud attacks serve one of these goals. Depending on what an organisation is doing within its cloud infrastructure, it should be able to identify whether any or all of these end targets in the environment could be targeted. From there, the strategy for protecting these initial access areas associated with the various attacks can then be developed.
One challenge regarding the cloud, is that it is not simply composed, many of the technological components are new and new features are being introduced all the time. Understanding how these work and, more importantly, how to secure them can be very difficult.
Using a security platform (such as Trend Micro Cloud One) can do a lot to protect the cloud, and training for architects and administrators is also helpful. Securing cloud account credentials is an important area, as these are regularly attacked by malicious actors. Using multifactor authentication to access all accounts can minimise this risk.
The cloud is just one aspect of our full report for the first half of 2021. For more details on the various threats and attacks we observed, download the full report.