A 2022 Year-end Recap on Cloud Threats

As the year is coming to an end, I can’t help but take a walk down memory lane to reminisce and reflect on the journey of the cloud threat landscape. Here’s my take on this 2022 recap of cloud threats.

First things first, I think it’s safe to say that this year has been a rollercoaster of non-stop cyberattacks. Particularly the cloud threat landscape, it truly feels like the massive potholes in front of my home. Every 6-10 weeks, we get the same potholes, in the same place, only slightly bigger and worse than the first one and the threat landscape this year for public clouds has been no different. However, while the fundamental TTPs have not shifted, what we have seen is an evolution in long-chained attacks – where more traditional techniques such as social engineering have been combined with cloud misconfigurations and over-privileged identities – resulting in more impactful breaches for organizations. Now let’s dive into some of the observed patterns.

Over-provisioned Privileges: The year started with LAPSUS$ making a big name for themselves by leveraging breached credentials and bypassing MFA to go for a joyride into several high-profile organizations. Once they established a beachhead into an organization, they moved laterally - stealing admin credentials and eventually getting ahold of highly privileged credentials for both cloud and on-prem resources. They were successful in compromising several cloud workloads and gaining access to sensitive data. Organizations continue to fail in tracking potential blast radiuses for human and non-human identities, which results in longer root cause analysis and wider impact in terms of data loss. 
Insider Threats:  Organizations continue to miss exploitable access paths to sensitive data in their public cloud. The ability to understand indirect access paths to sensitive data is crucial in understanding how to mitigate risk of insider threats in the public cloud. For e.g. user has access to EC2 instance which has access to an S3 bucket and therefore has a transitive relationship with the data. 
Resource Misuse - Stale/Unused Objects: One of the key reasons the cloud improves productivity is because of the ability to move large quantities of data around. However, accidental sharing of database or disk snapshots or inadvertent access into these resources have resulted in several breaches this year. Unused IAM objects such as access roles, service principles and API access keys and continued to be an access vehicle for threat actors into organizations.  
Poor Appsec - Poorly coded web applications continue to provide front door access to cloud environments. Once exploited, threat actors can leverage the OWASP top 10 attack vectors such as SSRF / CSRF to gain access to the cloud metadata services and move laterally through poorly configured IAM roles. Organizations continually fail to harden cloud metadata services such as the instance metadata service(IMDS) in AWS
Leaks by the Buckets or Blobs: Petabytes of data continue to be exposed through misconfigured cloud storage. Highly sensitive unencrypted data being stored in the public cloud has meant the perfect storm of data loss for organizations. Not being able to differentiate a legitimate public data share from an accidental one has been the root cause of countless breaches over the years, and 2022 has been no exception. Noisy tools and lack of cloud incident response processes have meant such incidents have been more impactful than they should have been for organizations.
Software Supply Chain: We had several instances of malicious python packages being inserted into trusted code repositories such as PyPI/NPM. A 15-year-old vulnerability in a highly popular tool called ‘tar’ remained undetected because of the embedded nature of software dependencies. This package was later discovered to be present in highly popular utilities and container images. 
Hoax Vulnerability: The OpenSSL vulnerability (CVE 2022-3786 and CVE 2022-3602) disclosure got every organization on their toes resulting in log4j/log4shell DeJa’Vu. But thankfully the impact and exposure was considerably less. One interesting aspect of the lower impact was due to the fact that a majority of servers running OpenSSL were using out-of-date or older versions, talk about the patching paradox!    
Source Code Loss: The trend started with Solarwinds in 2020 and does not seem to slow down, threat actors are continuing to focus on the organization's intellectual property and source code repositories have been at the crosshairs of such. The goal is not only to impact and steal source code but also to trigger further supply chain attacks down the line. Loss of sensitive content through source code such as embedded API keys continue to proliferate and continue to grow in public code repositories such as Github. Learn more about how to respond to such incidents in our latest blog 
Cloud Provider Vulnerabilities: There has been a more concerted effort from the cloud security community to harden and find weaknesses in the CSP’s ability to isolate and protect customer environments and several vulnerabilities were discovered where tenant isolation was broken.  

To summarize, defenders (and developers) across the globe are probably thanking Santa Claus for not dropping another Log4j or Solarwinds (dare I say so) under their trees this year. While the trends observed here will continue to evolve, I am hopeful that increasing awareness on cloud-native attack paths and adoption of solutions – such as Zscaler Posture Control, our cloud-native application protection platform (CNAPP) solution, which combines multi-vector telemetry across cloud misconfigurations, data protection, and identity – will improve organizational resilience to the cloud attacks observed this year.

So, what’s next? As you head into the new year, there’s no doubt that these cloud threats will continue to advance. For that reason, give us an opportunity to be your mission partner in delivering a secure cloud infrastructure by providing a free assessment of your cloud infrastructure today and helping you build security processes that scale to your needs tomorrow.

Learn more about Zscaler Posture Control.

Article Link: https://www.zscaler.com/blogs/security-research/2022-year-end-recap-cloud-threats