Impact of COVID-19 on cloud security

Lockdown policies during the COVID-19 pandemic led to rapidly expanding attack surfaces. Cloud computing especially became critical to allowing for work-from-home, telemedicine, e-commerce and online learning. In 2020 Gartner predicted that COVID-19 would cause worldwide end-user spending on public cloud services to grow by 18.4% in 2021.

Yet, despite clear advantages, cloud resources come with a host of vulnerabilities. The implementation of cloud computing services during the pandemic was rapid and at times ad hoc. It became difficult for organizations to keep track of growing assets and properly defend these vulnerabilities. The potential for cloud services to be used as entry points into organization’s networks by cybercriminals was exacerbated, making cloud security more important.

Cloud computing services have long been an attractive target for cybercriminals. In 2021 Russia’s Sunburst cyberespionage campaign impacted more than 100 large companies and U.S. federal agencies. The Microsoft cloud service targeted by Sunburst, had a feature which synchronized user identities. Cybercriminals stole security certificates and created their own identities allowing them to bypass security protocols including multi-factor authentication. As a result Sunburst was able to access cloud accounts and the emails and files they contained.

Why do hackers target cloud services?

1. Companies rely on the cloud for data storage, databases, reliability and many other features

2. The cloud landscape is constantly changing in a way which carries more risks and allows for security breaches

3. Access to cloud services offers the perfect start-point for multi-staged attacks

Companies store a lot of data in the cloud

According to Statista, in 2022 on average companies stored 60% of their data in the cloud, making them the perfect target for hackers looking to hit the jackpot. This data contains sensitive or personally identifiable information about their users and business activities, even more so since the pandemic. As of 2022, over 60% of all corporate data is stored in the cloud.

The cloud landscape is constantly changing, making it easier for hackers to identify newly released changes and exploit them

Cloud services are constantly creating new services which makes it more likely that there will be a misconfiguration a hacker can exploit. This presents an ideal opportunity for hackers, which continuously scan for misconfigurations and vulnerabilities. The moment one is found they can launch attacks before the company or the cloud service provider discover the issue.

A well-known approach is for a hacker to find these misconfigured access controls and exploit them leading to data breaches. The attacker can then gain access to sensitive data stored in S3 buckets or other types of cloud storage. Here, large word lists are generated and run against services to discover any publicly readable files that belong to the discovered storage services. (t is even possible to overwrite files on the storage services, leading to disastrous consequences.

Access to cloud services offers the perfect start-point for multi-staged attacks

Cloud services provide an attractive target for attackers because they offer a strong launch point for multi-stage exploits and deeper infiltration into a company network. Cloud technology often relies on shared technologies like virtualization and cloud orchestration. By exploiting a vulnerability in any one of these cloud technologies attackers can gain extensive access to an organization’s network and sensitive information. For instance, weaknesses in a hypervisor can allow attackers to gain control over virtual machines or even the host itself.

An example of one of the ways a hacker can use access to cloud services to infiltrate a company network. Hackers can insert malware into the existing libraries which get loaded into the browsers of visitors. By leveraging these attacks, a bad actor can take control of accounts on the affected website. They can also gather sensitive data about visitors on a mass scale, or even attack the devices of users directly.

How has the pandemic fueled the expansion of cloud services as an attack surface?

While cloud services have always been attractive targets, rapid and ad hoc implementation during the COVID-19 pandemic exacerbated vulnerabilities. The sudden increase in demand for cloud services meant organizations often began implementation without clearly defined strategies for security. The addition of new infrastructure and tools drastically expanded cloud security attack surfaces, and their ad hoc implementation meant new assets were difficult to manage.

Ad hoc attack surface expansion raised challenges for synchronizing security settings and centralizing security measures across assets. The use of multiple services meant multiple control hubs which can be more difficult to keep track of. Such quick and unorganized expansion of the attack surface created the potential for more undefended digital assets which cybercriminals could exploit.

“There have been more hacks and leaks since the acceleration of cloud service expansion,”. “Recently there was a vulnerability discovered by wiz.io which directly impacted customers of a cloud service provider, as they could gain the highest privileges in a shared environment for data storage. Exploitation of the vulnerability could have led to exposing organizations sensitive information.” We can expect to see a lot more research into cloud environments in the near future.

What are the most common attacks on expanding cloud services?

Cloud attack examples include:

1. Cloud malware injection attacks

2. Server-side request forgery

3. Supply chain attacks

4. Wrapping attacks

5. Man-in-the-cloud attack

Cloud malware injection attacks

Occurs when a hacker takes control of the cloud service. The aim is to hijack the user’s requests and gain the ability to change the user's final destination. Once exploited, they can target visitors or the business itself. For example attackers can download malicious files that lead to the compromise of the visitors system.

Server-side request forgery

In a server-side request forgery a malicious actor will attempt to induce the server-side application to make a request to a location specified by the attacker. Often these requisitions are made by having the server connect to reachable services on internal servers, virtualized environments, or directly to a cloud service provider. If this request is successfully made, the attacker can gain access to sensitive data within the organization. Successful exploitation can grant access to parts of the cloud environment, or sometimes even full access.

Supply chain attacks

In these kinds of attacks, attackers may target companies that provide their hardware equipment or software. These attacks also involve modifying specific software libraries and frameworks or other elements that are known to be used by a specific organization. For example, if an attacker adds a backdoor into a library that gets updated automatically, it can nest into that environment allowing access to that library. Attacks on commonly used components have a huge impact when they are automatically integrated into a system.

Many companies and solo developers rely on 3rd party software for their development cycles. Companies who self-host, may forget to update their 3rd party application when a new vulnerability is discovered. Attackers can then push updates to elements in supply chains.

Wrapping attacks

This kind of attack allows an attacker to manipulate an XML document. A wrapping attack was used on Amazon Elastic Cloud Computing in 2009, and exploited a vulnerability in their SOAP interface. The weakness allowed attackers to modify an eavesdropped message.

Man-in-the-cloud attacks

Man-in-the-cloud attacks describe a process where a bad actor hides malicious traffic between the victim’s device and the attacker’s command and control system. This traffic is hidden after the attacker has already gained access. In the case of the cloud, the cloud service the victim already uses becomes a way of hiding this traffic.

How can Hadrian help with attack surface management?

Hadrian helps to increase awareness of unknown digital assets within these cloud environments. Hadrian does so by automating the approach a hacker would take to exploiting these vulnerabilities.

A Hadrian Using the effective and efficient probes developed at Hadrian we continuously search for vulnerabilities. For example, load balancers can be misconfigured and exploited but are difficult to fingerprint exactly without refined methodologies. Probing for these vulnerabilities should be done often and because Hadrian continuously probes so we are more likely to identify these risks. Hadrian also researches anomalies in crucial parts of the internet, to learn more please get in touch with our experts.