RedLock released the latest “Cloud Security Trends” report from the RedLock Cloud Security Intelligence (CSI) team, a group of elite security analysts, data scientists and data engineers, that uncovers serious threat vectors and highlights the need for shared responsibility for security within a public cloud environment. The RedLock CSI team also revealed that hackers infiltrated a public cloud environment owned by Tesla, the renowned company specializing in electric automotives, energy storage and solar panel manufacturing.
The new report offers a compelling look at the threats and vulnerabilities that continue to mount in public cloud computing environments. Among the findings:
- Account compromises keep rising: Poor user and API access hygiene, combined with ineffective visibility and user activity monitoring, are causing organizations to be more vulnerable to breaches. For example, 73% of organizations allow the root user account to be used to perform activities—behavior that goes against security best practices. Furthermore, 16% of organizations have user accounts that have potentially been compromised.
- The cryptocurrency effect: In many hacks, the goal is to steal data; now, the thieves also hijack compute resources in order to mine cryptocurrencies (as detailed in the October 2017 Cloud Security Trends report). The research reveals that 8% of organizations suffer from this strain of criminality, which mostly goes unnoticed because of ineffective network monitoring.
- Still a long way from compliance: General Data Policy Regulation (GDPR) goes into effect in a few months, but organizations are far from where they need to be to effectively govern the cloud and ensure compliance. For instance, the analysis shows that 66% of databases are not encrypted.
- Spectre, Meltdown and More: The vulnerabilities highlighted in the recent Spectre and Meltdown scares should serve as a wakeup call for organizations to address vulnerability management in the cloud. However, the research demonstrates that 83% of vulnerable hosts in the cloud are receiving suspicious traffic, since many organizations can’t leverage standalone on-premise tools to gain such visibility.
In the course of their work, RedLock CSI researchers also learned about an intrusion into Tesla’s public cloud environment. In this case the hackers not only gained unauthorized access to non-public Tesla data, but were alsostealing compute resources within Tesla’s Amazon Web Services (AWS) environment for cryptojacking. The researchers immediately informed Tesla of its findings, and the vulnerabilities have already been addressed.
The Tesla findings build on research from last year, when the CSI team found that hundreds of Kubernetes administration consoles were accessible over the internet without password protection, and were leaking credentials to other critical applications. In Tesla’s case, the cyber thieves gained access to Tesla’s Kubernetes administrative console, which exposed access credentials to Tesla’s AWS environment. Those credentials provided unfettered access to non-public Tesla information stored in Amazon Simple Storage Service (S3) buckets.
In addition, the cyber thieves performed cryptojacking using Tesla’s cloud compute resources and employed specific techniques to evade detection. For example, instead of the more familiar public ‘mining pool,’ they installed mining pool software and configured the malicious script to connect to an ‘unlisted’ endpoint. That makes it harder for standard IP/domain-based threat intelligence feeds to detect malicious activity. Other tricks included hiding the true IP address of the mining pool server behind CloudFlare, and likely keeping CPU usage low to further evade detection.
Gaurav Kumar, CTO of RedLock and head of the CSI team, said, “The message from this research is loud and clear—the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities. In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: Organizations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough.”
@Technuter.com News Service