Lockdown policies during the COVID-19 pandemic led to rapidly expanding attack surfaces. Cloud computing especially became critical to allowing for work-from-home, telemedicine, e-commerce and online learning. In 2020 Gartner predicted that COVID-19 would cause worldwide end-user spending on public cloud services to grow by 18.4% in 2021. Yet, despite clear advantages, cloud computing comes with a host of vulnerabilities. The rapid and at times ad-hoc implementation of cloud computing services during the pandemic made it difficult for organizations to keep track of growing assets and properly defend these vulnerabilities. The potential for cloud services to be used as entry points into organization’s networks by cybercriminals was exacerbated.

Cloud computing services have long been an attractive target for cybercriminals. In 2021 Russia’s Sunburst cyberespionage campaign targeting a Microsoft cloud service impacted more than 100 large companies and U.S. federal agencies. The Microsoft cloud service targeted by Sunburst, had a feature which synchronized user identities. Cybercriminals stole security certificates and created their own identities allowing them to bypass security protocols including multi-factor authentication. As a result Sunburst was able to access cloud accounts and the emails and files they contained.

Why do hackers target cloud services?

1. Companies rely on the cloud for data storage, databases, reliability and many other features

2. The cloud landscape is constantly changing in a way which carries more risks

3. Access to cloud services offers the perfect start-point for multi-staged attacks

Companies store a lot of data in the cloud

Hadrian hacker Pepijn van der Stap points out that “companies store terabytes of data in cloud services,” making them the perfect target for hackers looking to hit the jackpot. This data contains sensitive or personally identifiable information about their users and business activities, even more so since the pandemic. As of 2022, over 60% of all corporate data is stored in the cloud.

The cloud landscape is constantly changing, making it easier for hackers to identify newly released changes and exploit them

Cloud services are constantly creating new services which makes it more likely that there will be a misconfiguration a hacker can exploit. Pepijn van der Stap says, “Attackers are constantly attacking cloud services to find misconfigurations and vulnerabilities. They do this because every minute the cloud landscape changes due to created or deleted services.”

A well-known approach is for a hacker to find these misconfigured access controls and exploit them to gain access to sensitive data stored in S3 buckets or other types of cloud storage. Here, large word lists are generated and run against services to discover any publicly readable files that belong to the discovered storage services. Van der Stap says that it is even possible to overwrite files on the storage services, leading to disastrous consequences.

Access to cloud services offers the perfect start-point for multi-staged attacks

Cloud services provide an attractive target for attackers because they offer a strong launch point for multi-stage exploits and deeper infiltration into a company network. Cloud technology often relies on shared technologies like virtualization and cloud orchestration. By exploiting a vulnerability in any one of these cloud technologies attackers can gain extensive access to an organization’s network and sensitive information. For instance, weaknesses in a hypervisor can allow attackers to gain control over virtual machines or even the host itself.

Van der Stap gives an example of one of the ways a hacker can use access to cloud services to infiltrate a company network. “Hackers can insert malware into the existing libraries which get loaded into the browsers of visitors,” says van der Stap. By leveraging these attacks, a bad actor can take control of accounts on the affected website, gather sensitive data about visitors on a mass scale, or even attack the devices of users directly.

How has the pandemic fueled the expansion of cloud services as an attack surface?

While cloud services have always been attractive targets, rapid and ad hoc implementation during the COVID-19 pandemic exacerbated vulnerabilities. The sudden increase in demand for cloud services meant organizations often began implementation without clearly defined strategies for security. The addition of new infrastructure and tools drastically expanded attack surfaces, and their ad hoc implementation meant new assets were difficult to manage. Ad hoc attack surface expansion raised challenges for synchronizing security settings across assets. The use of multiple services meant multiple control hubs which can be more difficult to keep track of. Such quick and unorganized expansion of the attack surface created the potential for more unknown unknowns and thus undefended digital assets which cybercriminals could exploit.

“There have been more hacks and leaks since the acceleration of cloud service expansion,” says van der Stap. “Recently there was a vulnerability discovered by wiz.io which directly impacted customers of a cloud service provider, as they could gain the highest privileges in a shared environment for data storage. Exploitation of the vulnerability could have led to exposing organizations sensitive information.” van der Stap notes that we can expect to see a lot more research into cloud environments in the near future.

What are the most common attacks on expanding cloud services?

1. Cloud malware injection attacks

2. Server-side request forgery

3. Supply chain attacks

4. Wrapping attacks

5. Man-in-the-cloud attack

Cloud malware injection attacks

Occurs when a hacker takes control of the cloud service. The aim is to hijack the user’s requests and gain the ability to change the user's final destination. Once exploited, they can target visitors or the business itself, for example by letting them download malicious files that lead to the compromise of the visitors system.

Server-side request forgery

In a server-side request forgery a malicious actor will attempt to induce the server-side application to make a request to a location specified by the attacker. Often these requisitions are made by having the server connect to reachable services on internal servers, virtualized environments, or directly to a cloud service provider. If this request is successfully made, the attacker can gain access to sensitive data within the organization. Successful exploitation can grant access to parts of the cloud environment, or sometimes even full access.

Supply chain attacks

In these kinds of attacks, attackers may target companies that provide their hardware equipment or software. These attacks also involve modifying specific software libraries and frameworks or other elements that are known to be used by a specific organization. For example, if an attacker adds a backdoor into a library that gets updated automatically, it can nest into that environment allowing access to that library. Attacks on commonly used components have a huge impact when they are automatically integrated into a system.

Many companies and solo developers rely on 3rd party software for their development cycles. Companies who self-host, may forget to update their 3rd party application when a new vulnerability is discovered, which is just one way attackers push updates to elements in supply chains.

Wrapping attacks

This kind of attack allows an attacker to manipulate an XML document. A wrapping attack was used on Amazon Elastic Cloud Computing in 2009, and exploited a vulnerability in their SOAP interface. The weakness allowed attackers to modify an eavesdropped message.

Man-in-the-cloud attacks

Man-in-the-cloud attacks describe a process where a bad actor hides malicious traffic between the victim’s device and the attacker’s command and control system after they have already gained access. In the case of the cloud, the cloud service the victim already uses becomes a way of hiding this traffic.

How can Hadrian help with attack surface management?

Hadrian helps to increase awareness of unknown digital assets within these cloud environments by automating the approach a hacker would take to exploiting these vulnerabilities. Hadrian Hacker, Pepijn van der Stap gives an example of one of the vulnerabilities Hadrian would continuously lookfor, with efficient and effective probes: “Load balancers can be misconfigured and exploited but are difficult to fingerprint exactly without refined methodologies. Probing for these vulnerabilities should be done often, and because Hadrian continuously probes for new assets and vulnerabilities it is more likely we will identify these risks.” In addition, we also research anomalies in crucial parts of the internet.