Lacework 2021 Cloud Threat Report Vol. 2
August 31, 2021
Cybercriminals Demand for Cloud Access Grows
In new research from the Lacework Labs Team, it’s clear organizations should start thinking of cybercriminals as business competitors. Thanks to more than three months of exhaustive monitoring and tracking malicious cloud activity, the team has uncovered evolving attack techniques and campaigns originating from across the globe, mostly characterized by a rising demand for access to cloud accounts. Whether this be cloud account credentials sold in underground marketplaces or through direct attempts to gain access, cybercriminals are increasingly looking to profit from vulnerable business resources.
Either directly targeting a businesses’ data, or indirectly accessing their resources, the Lacework 2021 Cloud Threat Report Volume 2 details some key areas for customers to monitor:
Selling Cloud Account Access
Initial Access Brokers have evolved from the opportunistic compromise of one-off, internet-facing assets for resale as proxies, to the targeting of corporate networks, assessing for business value, and ultimately selling access into the organization for use to the highest bidder. AWS, Google Cloud, and Azure administrative accounts have quickly become high-demand items in these underground marketplaces.
Cloud Services Probing
While AWS S3, SSH, SQL, Docker, and Redis all were the most popular services/applications targeted for initial access, SSH continues to be the most heavily attacked service. In addition, the team reported Tor is the common source used for S3 reconnaissance, and Zgrab, a popular tool for internet-wide scanning, was observed in the majority of traffic scanning Docker APIs.
Evolving Criminal Campaigns
Crimeware operations continued to evolve over the past three months. In the report, researchers document new malware samples from Keksec; TeamTNT backdooring legitimate Docker images; new clusters of activity from 8220 mining gang; and legitimate crypto mining tools being used illicitly for the first time.
Notable Attacker Techniques
About four months ago, ATT&CK v9 was released including the new ATT&CK for Containers matrix. During this same period Lacework observed some interesting techniques from this matrix, such as User Execution: Malicious Image [T1204.003], Persistence: Implant Internal Image [T1525], and Execution: Deploy Container [T1610].
To learn about these findings and more check out the full Lacework 2021 Cloud Threat Report.
The Lacework Labs Team will also be hosting a webinar, where you can hear from some of our researchers to gain insights on how you can use these insights to help secure your organization’s cloud.