The ease and speed at which new cloud tools can be deployed is also making it harder for security teams to control their usage, IBM Security reveals.
According to the data, basic security oversight issues, including governance, vulnerabilities, and misconfigurations, remain the top risk factors organizations must address to secure increasingly cloud-based operations.
Additionally, an analysis of security incidents over the past year sheds light on how cybercriminals are targeting cloud environments with customized malware, ransomware and more.
With businesses rapidly moving to cloud to accommodate remote workforce demands, understanding the unique security challenges posed by this transition is essential for managing risk.
While the cloud enables many critical business and technology capabilities, ad-hoc adoption and management of cloud resources is also creating complexity for IT and cybersecurity teams.
According to IDC, more than a third of companies purchased 30+ types of cloud services from 16 different vendors in 2019 alone. This distributed landscape can lead to unclear ownership of security in the cloud, creating policy “blind spots” and potential for shadow IT to introduce vulnerabilities and misconfiguration.
Cloud environment threats and challenges
- Complex ownership: 66% of respondents surveyed say they rely on cloud providers for baseline security; yet perception of security ownership varied greatly across specific cloud platforms and applications.
- Cloud applications opening the door: The most common path for cybercriminals to compromise cloud environments was via cloud-based applications, representing 45% of incidents in IBM X-Force IRIS cloud-related case studies. Cybercriminals took advantage of configuration errors as well as vulnerabilities within the applications, which often remained undetected due to employees standing up new cloud apps on their own, outside of approved channels.
- Amplifying attacks: While data theft was the top impact of attacks in the cloud, hackers also targeted the cloud for cryptomining and ransomware3 – using cloud resources to amplify the effect of these attacks.
“The cloud holds enormous potential for business efficiency and innovation, but also can create a ‘wild west’ of broader and more distributed environments for organizations to manage and secure,” said Abhijit Chakravorty, Cloud Security Competency Leader, IBM Security Services.
“When done right, cloud can make security scalable and more adaptable – but first, organizations need to let go of legacy assumptions and pivot to new security approaches designed specifically for this new frontier of technology, leveraging automation wherever possible. This starts with a clear picture of regulatory obligations and compliance mandate, as well as the unique technical and policy-driven security challenges and external threats targeting the cloud.”
Who owns security in the cloud?
Organizations that rely heavily on cloud providers to own security in the cloud, despite the fact that configuration issues – which are typically users’ responsibility – are most often to blame for data breaches (accounting for more than 85% of all breached records in 2019).
Additionally, perceptions of security ownership in the cloud varied widely across various platforms and applications. For example, 73% of respondents believed public cloud providers were the main party responsible for securing software-as-a-service (SaaS), while only 42% believed providers were primarily responsible for securing cloud infrastructure-as-a-service (IaaS).
While this type of shared responsibility model is necessary for the hybrid, multi-cloud era, it can also lead to variable security policies and a lack of visibility across cloud environments. Organizations who are able streamline their cloud and security operations can help reduce this risk, through clearly defined policies which apply across their entire IT environment.
Top threats in the cloud: Data theft, cryptomining and ransomware
In order to get a better picture of how attackers are targeting cloud environments, incident response experts conducted an in-depth analysis of cloud-related cases the team responded to over the past year. The analysis found:
- Cybercriminals leading the charge: Financially motivated cybercriminals were the most commonly observed threat group category targeting cloud environments, though nation state actors are also a persistent risk.
- Exploiting cloud apps: The most common entry point for attackers was via cloud applications, including tactics such as brute-forcing, exploitation of vulnerabilities and misconfigurations. Vulnerabilities often remained undetected due to “shadow IT,” when an employee goes outside approved channels and stands up a vulnerable cloud app. Managing vulnerabilities in the cloud can be challenging, since vulnerabilities in cloud products remained outside the scope of traditional CVEs until 2020.
- Ransomware in the cloud: Ransomware was deployed 3x more than any other type of malware in cloud environments, followed by cryptominers and botnet malware.
- Data theft: Outside of malware deployment, data theft was the most common threat activity observed in breached cloud environments over the last year, ranging from personally identifying information to client-related emails.
- Exponential returns: Threat actors used cloud resources to amplify the effect of attacks like cryptomining and DDoS. Additionally, threat groups used the cloud to host their malicious infrastructure and operations, adding scale and an additional layer of obfuscation to remain undetected.
“Based on the trends in our incident response cases, it’s likely that malware cases targeting cloud will continue to expand and evolve as cloud adoption increases,” said Charles DeBeck, IBM X-Force IRIS.
“Malware developers have already begun making malware that disables common cloud security products, and designing malware that takes advantage of the scale and agility offered by the cloud.”
Maturing cloud security leads to faster security response
While the cloud revolution is posing new challenges for security teams, organizations who are able to pivot to a more mature and streamlined governance model for cloud security can reap significant benefits in their security agility and response capabilities.
The survey found that organizations who ranked high maturity in both Cloud and Security evolution were able to identify and contain data breaches faster than colleagues who were still in early phases of their cloud adoption journey.
In terms of data breach response time, the most mature organizations were able to identify and contain data breaches twice as fast as the least mature organizations (average threat lifecycle of 125 days vs. 250 days).
As the cloud becomes essential for business operations and an increasingly remote workforce, organizations should focus on the following elements to improve cybersecurity for hybrid, multi-cloud environments:
- Establish collaborative governance and culture: Adopt a unified strategy that combines cloud and security operations – across application developers, IT Operations and Security. Designate clear policies and responsibilities for existing cloud resources as well as for the acquisition of new cloud resources.
- Take a risk-based view: Assess the kinds workload and data you plan to move to the cloud and define appropriate security policies. Start with a risk-based assessment for visibility across your environment and create a roadmap for phasing cloud adoption.
- Apply strong access management: Leverage access management policies and tools for access to cloud resources, including multifactor authentication, to prevent infiltration using stolen credentials. Restrict privileged accounts and set all user groups to least-required privileges to minimize damage from account compromise (zero trust model).
- Have the right tools: Ensure tools for security monitoring, visibility and response are effective across all cloud and on-premise resources. Consider shifting to open technologies and standards which allow for greater interoperability between tools.
- Automate security processes: Implementing effective security automation in your system can improve your detection and response capabilities, rather than relying on manual reaction to events.
- Use proactive simulations to rehearse for various attack scenarios: This can help identify where blind spots may exist, and also address any potential forensic issues that may arise during attack investigation.
Microsoft’s security experts have warned on Monday about several email malware delivery campaigns exploiting the COVID-19 pandemic targeting companies in the US and South Korea.
What they have in common is the ultimate delivery of the Remcos RAT (remote administration tool/Trojan), a piece of malware that allows hackers to have full control over the infected system, and the fact that the attached files have some atypical extensions.
In one campaign the attackers are impersonating the US Small Business Administration (SBA) and attempt to deliver a malicious IMG (disk image) attachment.
“The IMG file contains an executable file that uses a misleading PDF icon. When run, the executable file drops Remcos, which allows attackers to take control of affected machines,” the researchers noted.
In another one the attackers are impersonating CDC’s Health Alert Network (HAN) and carry malicious ISO (disk image) file attachments. In a third one they pose as the American Institute of Certified Public Accountants and deliver a ZIP archive containing the ISO file (carrying a malicious SCR file with a misleading PDF icon).
IBM X-Force researchers have also recently warned about a variety of fake US SBA emails carrying malicious IMG (disk image) and Universal Disk Format (UDF) image files leading to the Remcos RAT.
The US SBA is a good choice for malware peddlers to impersonate at this time.
“On March 27, 2020, $376 billion in relief payments for workers and small businesses was allocated via the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The US SBA and the Department of Treasury are the designated outlets for providing information and guidance on the implementation of the CARES programs, but with people looking out for their applications, these fake emails are evidence of malicious actors already exploiting reliance on digital updates, which many are expecting as they plan to receive the allocated federal aid,” IBM X-Force researchers pointed out.
The aforementioned campaigns are obviously targeting businesses but, according to Kaspersky Lab researchers, Remcos RAT and other malware peddlers have not forgotten about consumers.
To make it more likely the recipients will download and open a malicious attachment, they are impersonating package delivery services and saying that the recipient must read or confirm the information in an attached file in order to receive a package that’s come in.
Again, the malicious attachments come with some unusual file extensions such as ACE (archive file) and the more familiar RAR and ZIP (also archive files).
The device people use to communicate online – a smartphone, desktop, or tablet – can affect the extent to which they are willing to overshare intimate or personal information about themselves, according to the researchers from University of Pennsylvania.
Can you trust attachments? Be careful
Malware peddlers will try every emails and attachment combination and permutation they can think of to get past email security filters and get users to open those files.
Needless to say, everybody should always be wary of opening attachments and links in unsolicited emails – whether they have a familiar file extension or not.
If you really can’t resist the temptation or you aren’t sure about your ability to spot fake, malicious emails, you can always test the attached file before opening it. The VirusTotal analyzer is a popular, easy to use, and the most thorough option for checking files for malware, but there are others as well.
The Wuhan coronavirus continues to spread and create anxiety across the globe, allowing malicious individuals and groups to exploit the situation to spread fake news, malware and phishing emails.
Malicious coronavirus-themed campaings
IBM X-Force says that Japanese users have been receiving fake notifications about the coronavirus spreading in several prefectures, purportedly sent by a disability welfare service provider and a public health center.
The emails contains legitimate information taken from those services’ official websites and carries an attached .doc file that ostensibly contains more information.
“The content of the document itself is just an Office 365 message, instructing the viewer to enable the content (which is malicious), in case the document has been opened in protected view,” the researchers explained. The delivered malware is the Emotet downloader.
“We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers. In these first samples, Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic,” IBM X-Force researchers added.
Mimecast researchers spotted similar emails targeting English-speaking users, purportedly sent by a virologist from Singapore, carrying a malicious .pdf attachment.
KnowBe4 specialists warn about phishing emails that look like they’ve been sent by the US Centers for Disease Control and Prevention (CDC), linking to a web page that supposedly contains updated lists of new coronavirus infection cases in the US:
Be careful, be aware
Cyber crooks and other malicious individuals are expected to continue to impersonate official notifications by legitimate institutions to spread malware or hoaxes (and panic).
Cybercriminals are known for using high-profile, global news stories to target users and trick them into doing something they otherwise wouldn’t do, but situations like this latest coronavirus outbreak are a gift that keeps on giving since each day comes with a new update and everybody is expecting official alerts.
KnowBe4’s CEO noted that users should be careful when it comes to anything related to the coronavirus – emails, attachments, social media posts, text messages.