A growing number of cybercriminals are developing malware to conduct attacks on virtualized environments, and some are aggressively trying to exploit vulnerabilities already found in software for deploying virtual infrastructure, according to a report from Positive Technologies.
Overall, the number of cyberattacks increased by 17% in 2021 compared to the first quarter of 2020, with 77% being targeted attacks, according to the report. The most popular vulnerabilities for attackers to exploit this quarter were breaches in the Microsoft Exchange Server software (ProxyLogon) and the outdated file sharing program Accellion FTA.
The share of ransomware operators in attacks on governmental institutions also is increasing; they were found in 70% of malware attacks. In addition to ransomware, attackers also used banking Trojans (18% of malware attacks), RATs (13%) and spyware (8%).
Popular cloud services that facilitate interaction and simplify companies’ IT infrastructure also became a favorite target for attackers.
The study said the reason for this phenomenon is that by attacking a cloud service provider, hackers can gain access to the customers’ data, which is what happened, for example, during the January incident involving the Bonobos clothing store.
The store suffered a data leak due to an attack on the cloud service provider that the company used to store customer credentials and personal data. A similar incident occurred with the network equipment manufacturer Ubiquiti.
Attacks Focus on Multipliers
Dirk Schrader, global vice president of security research at NNT, said the report highlights a growing focus on multipliers; targets that allow the attacker easy access to a large number of victims, whether by supply chain attacks or by attacking cloud service providers.
“Other attack vectors remain on a high level by itself, but it is bad news for telecom operators and cloud providers that they will be in the crosshairs even more in future,” he said. “That shift should not lead to a lowered guard for other organizations, as the attackers will continue to add to their arsenal.”
Schrader said it would be necessary and vital to monitor infrastructure for unexpected changes as well as maintain diligence on accounts and associated user rights.
Tyler Shields, CMO at JupiterOne, pointed out the Bonobos attack appears to have been a result of a backup stored in the cloud in an insecure manner.
“Sadly, these types of attacks are one of the most common attack vectors seen in cloud environments today,” he said. “The threat, generally, is caused by a misconfiguration of a cloud service provider that leaves data in an insecure state.”
Shields said the best solution for these types of issues is to implement a digital asset management solution that tracks and alerts on changes in the state of cloud solutions and services.
“If one of these services drifts from a known secure state, an alert should fire,” he said.
Securing the Cloud Transition Against Threats
Security in the cloud is fundamentally different from on-premises and it’s still new for many security leaders, noted Vishal Jain, co-founder and CTO at Valtix.
“Whether cloud-first or hybrid, organizations are working quickly to get the right policies in place to support this transition,” he said.
In particular, the shared responsibility model can be challenging when you have a mix of IaaS, PaaS and SaaS—each with different security requirements.
Jain said multi-cloud makes matters worse since each cloud provider has its own nuances.
“In the end, you still need layered security and visibility in the cloud,” he said. “Cloud-first tools can help meet these needs through robust security that also adapts to the dynamic nature of cloud environments.”
The report also noted a rising trend: attackers gearing their malware attacks towards virtual infrastructure. After ramping up in Q4 2020, these attacks dominated in the first quarter of 2021. The report linked that trend primarily to the global process of moving corporate IT infrastructure into a virtual environment.
“Attackers carefully monitor information about new vulnerabilities and try to find a use for these in their attacks as soon as possible,” the report noted, noting the topic of gaining access to virtual infrastructure and cloud services is a fairly popular one on the dark web.
In addition to ready-to-use access to certain companies, attackers post offers to hack companies by request on dark web message boards.
“The services of so-called brokers are also used by ransomware operators for acquiring credentials to log in to the systems,” the report explained.
Given the specifics of the attacks in the past quarter, Positive Technologies said it strongly recommends organizations install security updates in a timely manner and pay special attention to protecting virtual infrastructure.
The company also called for strengthened security at the corporate perimeter through the use of security tools such as web application firewalls for protecting web resources.