Remember how the Ocean’s Eleven crew couldn’t just attack one casino… they had to go for three? Well, the same goes for some cyber criminals who think, “Why stop at data theft when I can also hijack cloud resources for profit?” For many financially motivated attackers, more is more.
In this final piece of our real-world cloud attack series, we examine the breach of a high-profile organization that went straight for a sensitive management console in the cloud to orchestrate a sophisticated cryptomining scheme.
Attack Phase 1: Entry
Attackers pinpointed and accessed a publicly exposed Kubernetes console that was not protected by a password or by multi-factor authentication (MFA). While this may sound like an egregious oversight, the truth is these powerful admin portals — whether they are specific cloud application development tools such as container orchestration platforms, or those used to manage all cloud projects and resources hosted by a specific cloud provider — are often overlooked and unintentionally exposed.
Attack Phase 2: Exploration
The attackers discovered that within one Kubernetes pod, access credentials were exposed to the company’s cloud environment, which contained a cloud database housing sensitive data. This included proprietary telemetry data used to monitor quality and performance and improve customer experiences.
Attack Phase 3: Exploitation
The attackers commandeered the cloud console, ran scripts and used mining software to harness the company’s costly cloud resources to mine for cryptocurrency. To remain under the radar, they intentionally reduced CPU usage and masked their IP using a proxy server.
By appropriating compute resources, this attack ultimately cost the victim organization thousands of dollars in cloud services. And while cryptomining appears to have been their main goal, the attackers inevitably stumbled across some other “cloud goodies” along the way. These locally stored cloud access keys unlocked storage databases containing confidential information, including sensitive telemetry data on the company’s customers, which could have been used to damage the company’s brand and reputation.
To explore the full cryptomining attack chain, watch the video.
The “Elite Eleven” Cloud Identity Security Safeguards
Danny Ocean had his 11 accomplices, and fortunately, when it comes to protecting against attacks on identity in the cloud, we’ve got our own “elite eleven”— safeguards, that is.
From protecting against attacks that exploit cloud misconfigured identities, to those that hijack credentials embedded in code, to those that compromise sensitive console access, the following foundational steps can help you embrace a model of identity-centric security to drive resilience in the modern threat landscape. To explore all 11 recommendations, download this eBook.
1. Gain visibility into your permissions. As cloud adoption increases, so does the attack surface in the form of increasing permissions for business users and machine identities. To reduce risk, organizations must first get a strong handle on what cloud resources business users have access to, and when, and also identify ways to uncover hidden, unused and misconfigured permissions across your cloud footprint at scale.
2. Rotate and manage standing privileged credentials. Privileged credentials that provide employees, as well as third-party vendors, with 24/7 access to public cloud resources, consoles, security tools, RPA, automation tools, IT management and more must be protected with strong Privileged Access Management controls. Also consider just-in-time access to reduce standing privileges and overall risk exposure.
3. Strengthen access controls with MFA. Verifying that people are who they say they are may sound obvious, but it often goes wrong when organizations rely on only one verification method like a single set of credentials that are easily stolen or compromised. MFA plays an instrumental role in verifying user identities and preventing compromise — particularly when it comes to SaaS applications that are regularly accessed from outside the network.
4. Federate access to cloud resources like consoles, virtual machines and CLIs and authenticate with your preferred identity provider.
5. Implement least privilege throughout your cloud estate. This includes limiting access for highly privileged users and DevOps tool admins to demonstrate compliance with industry frameworks such as the Cloud Security Alliance’s Cloud Control Matrix.
Looking for additional guidance on protecting identity and privilege in the cloud? The CyberArk Blueprint for Identity Security Success provides a proven framework for assessing your current strategy and defining a roadmap for long-term success.