If one word could sum up the observations of the Lacework Labs team over the past six months, it’s speed. Adversaries are adapting to become more efficient and stealthy in their capabilities within the cloud management plane. Since the last Cloud Threat Report, Lacework Labs has seen a marked evolution of the tactics leveraged by cybercriminals to more effectively target cloud infrastructure and monetize their intrusions.
One of the starkest realities the industry is grappling with is the realization that adversaries have learned that they no longer require access to systems directly to be effective in their endeavors. Now, more than ever, bad actors are actively living off the API and subverting a majority of traditional security controls, leaving defenders blind to the reality of an ongoing compromise. We expect this trend to increase as criminals continue expanding their understanding of cloud infrastructure.
Even when considering malware usage, adversaries continue to leverage age-old techniques to deploy and hide their malware. One of the latest instances by packing their malware into hosted images via steganography. An old tactic that is seldom observed outside of Capture The Flag competitions, or so it would seem.
These tactics play a component in the more prominent trend of supply chain attacks and related core infrastructure compromise. Attackers are utilizing commonly used technologies to more effectively target an extensive range of corporations via a single point of entry, which can be replicated almost indefinitely and persists as long as it takes organizations to patch.
Regardless of the creativity involved in gaining initial access to the cloud management plane, the end goal often remains the same. These bad actors are also leveraging the infrastructure itself as a means of monetizing the intrusion via cryptojacking. In many ways, the playing field in the cloud contrasts with the common perception of hackers – the stealthy intruder looking to obtain trade secrets and spy on an organization or individuals. The reality is that cloud compromise is often simply fast, noisy, and lacking much creativity. Cloud adversaries are opportunistically-driven, leveraging cracks in infrastructures at scale to monetize their intrusions quickly and then quickly progressing to other targets with similar flaws. It’s all a numbers game.
Openly sharing information is a core tenant of the Labs team’s mission. While this report focuses on insights around cloud threats, the Labs team has been busy enabling the cloud security community. Labs presented at several conferences, including Black Hat and DEFCON, and are releasing an open-source threat hunting tool, Cloud-Hunter. Our goal is to enable the community by highlighting new tradecraft and extending the capabilities of our customers by extending the Lacework Query Language into threat detection, dynamic rule creation, and security enablement.
To learn more, check out the full Lacework 2022 (Cloud Threat Report Volume 4.
Lacework Labs Threat Researchers James Condon will also be hosting a webinar on November 3rd to provide insights on how you can use findings from the report to help secure your organization’s cloud.