Insecure configurations put small businesses at increased risk and Log4j-based malware attacks persist
Lacework®, the data-driven cloud security company, today released the third volume of its Cloud Threat Report, a semi-annual accounting of the ongoing cybersecurity threats impacting the cloud. Conducted over a six month period, the Cloud Threat Report found threat actors are broadening the scope of their efforts to gain illicit access to cloud data and resources. In addition to increased targeting of cloud platforms beyond AWS, Microsoft Azure, and Google Cloud, malicious actors are rapidly adapting new attacks to target organisations in the cloud. As world governments issue warnings over the increasing cybercrime threat, the report’s findings highlight some of the most common threats businesses should protect against.
Small businesses in particular are at risk from cloud access brokers, who sell access to cloud accounts online. According to the report, 78 percent of SMBs observed by the Lacework Labs team had compliance violations within their cloud infrastructure, opening the door for attackers to gain initial access, escalate privileges, and impact protected data.
“Threat actors continue to show sophistication as they create and adapt new attacks to compromise the cloud,” said James Condon, Director of Research, Lacework. “Organisations moving more data to cloud infrastructure need to be just as nimble, employing security best practices and modern tools with continuous monitoring to stay ahead of cybercriminals and keep critical information safe.”
This third installment of the Cloud Threat Report highlights four key areas of cloud security: cloud security posture, vulnerabilities and software supply chain, runtime threats and linux malware, and proactive defence and intelligence. Based on anonymised data across the Lacework platform from September 2021 – February 2022, the report found:
- Cloud security posture mistakes are an open door for threat actors: 72 percent of cloud environments monitored had insecure configurations, providing a warm welcome for attackers to gain initial access, establish persistence, escalate privileges, and impact protected data across clouds. The most common risks were found in the AWS services IAM, S3, and EC2, which were also the most popular services for attackers to abuse.
- Every cloud is a target, not just the big 3: Despite being one of the largest cloud services providers, AWS accounts make up only 16% of overall hosting of illicit access for sale, while lesser known companies like HostGator and Bluehost make up half. Though corporate accounts are being offered for as low as $300 USD and upwards of $30k USD, the average price of a compromised AWS account is roughly $40 USD. This high volume of lower priced inventory indicates that attackers may be taking advantage of the increased compliance violations in SMB organisations and a lack of focus on securing consumer accounts.
- Log4j remains a significant threat, and malware is adapting quickly: 31 percent of malware infections observed by the Labs team use Log4j as the initial infection vector. What’s more, Muhstick, the malware family most commonly observed in the wild, can incorporate vulnerabilities like Log4j into their operations within 48 hours, reinforcing how quickly threat actors will respond to take advantage of vulnerability disclosures.
The Lacework Labs team also examined issues around compliance, exposed Docker APIs and malicious containers, and additional vulnerabilities within the software supply chain. A full copy of the report and the executive summary can be found here.
Based on the findings of this report, Lacework Labs recommends that defenders evaluate security infrastructure against industry best practices and implement proactive defence and intelligence tools with active vulnerability monitoring like the Polygraph® Data Platform. The Lacework Labs team has put together several resource guides organizations can use to set up canary tokens, honeypots, and other proactive tools on the Lacework blog.