Cloud Data Security
Ransomware has become top of mind for security professionals and the trend is expected to accelerate over the next few years. In 2021 there were over 700,000 million attempted ransomware attacks.
With an attack occurring every 11 seconds, it is not surprising that security teams have been slammed and fatigue is making the situation worse. (BitSight).
It is interesting to note that all ransomware victim organizations had a security solution such as Antivirus, EDR, Firewalls etc. installed at the time of the attack. This begs the question. Why are there so many successful breaches when the cyber security investments are at an all-time high?.
In a recent article, BrightTALK summarizes the state of cloud security. “Traditional ransomware has become a popular tool for cybercriminals to make money and has cost a variety of industries hundreds of millions to billions of dollars in recent years. As trends change and corporations move from traditional data centers to cloud environments like AWS, GCP, and Azure, adversaries are adapting their techniques to match the new climate. Because of this, attackers abusing cloud APIs rather than host/network-based commands are becoming more prevalent.”
Protecting your data assets requires that you protect your environments from ransomware at all costs. Ransomware affects not only on-premise environments but your cloud data storage as well. We will focus on how advanced threats such as Ransomware breach cloud-based data and assets.
There is a common misconception that advanced data breaches do not happen in cloud environments, and that your cloud service provider has bulletproof protection for all your data and assets. That could not be further from the truth!.
How Can Ransomware Infect Cloud Data Storage?
In order to access cloud data, assets or services, you obviously have to do it through a computer or device that is connected to the cloud provider such as Azure, AWS, Google Cloud, etc. and furthermore, in order to consume or distribute your digital assets you may need to download a copy to your local machine. For convenience, most cloud data users create a local folder synchronized to your cloud repository.
Let’s look at a couple of examples where ransomware can and will encrypt cloud-stored data.
Syncing with local data storage
Sharepoint online, DropBox, Box, OneDrive etc. allows you to work on your files locally. Files are then synchronized to the cloud data storage automatically.
In many cases, ransomware malware can be embedded in a document such as an Excel file, email, etc. When these files are synchronized to the cloud repository, the ransomware can then be synchronized down to other users who are sharing the same document. Additionally, the ransomware can also start encrypting all other files on that folder.
When the ransomware encrypts the files on the local shared folder, those encrypted files synchronize to your cloud storage. The encrypted files will replace the files on the cloud folder. Once this happens, certain ransomware files will not only encrypt the local files but may also be embedded in the uploaded files and may execute on your cloud repository.
Are the actual cloud providers immune to ransomware?
The answer is no. There are many documented instances of ransomware attacks and disruptions on cloud service providers.
A Switzerland-based cloud hosting provider Swiss Cloud reported a ransomware attack that shut down the company’s server infrastructure in 2021. The company restored its data from backups and took several days to restore service. it caused disruption to more than 6,500 customers and made servers unavailable.
Azure
Researchers at security firm Wiz recently announced that they were able to obtain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers in their Cosmos databases.
Then the same researchers discovered a major issue that they called OMIGOD. Vulnerabilities were found in the Open Management Infrastructure (OMI), the Linux equivalent of Microsoft’s Windows Management Infrastructure (WMI). This service is silently installed on all Azure Linux virtual machines. It is not easily patched and at this time any newly installed Linux virtual machine is subject to remote code execution potential. The Wiz researchers found 65% of customers were potentially exposed to risk. The vulnerabilities allow external users and ones with low privileges to remotely execute code on target machines or escalate privileges. In the most severe vulnerability, an attacker can do remote code execution due to HTTPS port exposure in the Azure Configuration Management tool (CRN).
Google Cloud
Researchers at security consultancy Kloudle found they were able to bypass both Google Cloud Platform (GCP) and Amazon Web Services (AWS) web app firewalls just by making a POST request more than 8KB in size.
“The default behavior of Cloud Armor, in this case, can allow malicious requests to bypass Cloud Armor and directly reach an underlying application,” according to Kloudle.
“This is similar to the well-documented 8 KB limitation of the AWS web application firewall, however, in the case of Cloud Armor, the limitation is not as widely known and is not presented to customers as prominently as the limitation in AWS.”
It is important to mention that in most cases, cloud service providers react quickly to discovered vulnerabilities and patch them as soon as possible.
Some steps you can take to minimize risks when using cloud services:
- Review which of the cloud services you use have external IP access
- Evaluate the risks involved in external access and determine if there are other ways to protect that access
- Set up notifications from your cloud vendors to keep apprised of security issues
- Stay aware of the security chatter and news regarding the development platform you use. In the case of Microsoft Azure, you can use the Microsoft Security Response Center
- Ensure your user access is properly configured and uses the “Least Access” method
At the end of the day, the best way to protect your infrastructure is to maintain good cyber security hygiene.
How does HackerStrtike Help?
It is clear to us that when it comes to cyber threats, no one is safe. Hackers continue to innovate in their technology, and their approach to cause damage and disruption. HackerStrike was designed to detect, block and mitigate advanced cyber threats.
In order to deal with the fast morphing of advanced malware and the ever-changing attack vectors, HackerStrike designed an AI-based device behavior model. This approach allows us to detect any behavior anomaly which is then evaluated by four AI algorithms in real-time.
This method helps us detect and stop any threat, known or unknown before any encryption event starts.
How HackerStrike protects in an on prem or cloud environment
Endpoints: Installing HackerStrike on all endpoints will ensure that no ransomware is synchronized to cloud folders and thus limit the exposure to the rest of the organization
Server and Hybrid environments: Installing HackerStrike on servers and cloud-based processing equipment will maintain critical systems running and protect data stored on those systems.
Summary
Protecting data whether is in the cloud or on-premise requires an integrated approach using best-of-breed technologies and best practices across the organization. As cybercriminals adapt and improve their skills and methods organizations need an autonomous solution such as HackerStrike that performs the heavy lifting.
By Ralph aceves
CEO, HackerStrike Corporation