Security vulnerabilities are inevitable, and attackers and defenders are in a never-ending race to discover them first. As soon as we find a misconfiguration or a new attack technique, a bad actor is already looking for a new one.
Attackers are getting to organizations’ valuable assets faster than ever before thanks to automation, new tools, and more opportunities to move through a cloud environment unnoticed. To protect your most important data and systems, you’ll need to identify what bad actors want and how they try to get it.
Based on the trends the Lacework Labs team discovered while conducting research for our Cloud Threat Report, we have a few tips to help you find security flaws before bad actors can take advantage of them.
How Are Attackers Moving So Fast?
Attackers are able to quickly breach environments because they’re noticing mistakes before defenders do. They’re constantly scanning systems for misconfigurations and monitoring repositories for hard-coded secrets.
For instance, if a developer on your team accidentally commits an AWS access key in a public GitHub repository, even for just a few minutes, you might assume that it’s not a problem because you caught the error quickly. However, this is exactly what attackers want—they only need a few minutes to obtain that key before you even know there is a problem.
We’re noticing this trend gaining momentum with attackers. They are compromising systems at a rapid pace, which suggests that they are using automation tools to scan new code commits in public repositories for those access keys.
Access keys are particularly attractive targets for attackers because they let attackers take control of systems, compromise employee data, or steal financial information. There are non-obvious uses and motives, too, including spamming and phishing.
Lacework Labs found that almost one-third of compromised-key incidents in the past year were used for spamming or sending malicious emails. Of those incidents, most were linked to AndroxGh0st, a Python malware that attackers are using to automatically detect access keys and secrets in Laravel files. Laravel is an open-source platform used to create web applications—and it’s a popular target for attackers because it contains configuration data from sources such as AWS and Twilio. Attackers use that data to check email-sending limits to determine if they’ll be useful for spamming.
Attackers are also using tools such as AndroxGh0st to escalate user privileges through a series of automated tasks—including up until they eventually gain administrative access to your cloud-management console; this enables them to manage all of your resources and data. They appear to be authorized users because they’re using the credentials of someone at your company, making them more difficult to find.
When attackers assume the identity of a known user in your environment, they often go undetected until they’ve already achieved administrative access. Some of their actions wouldn’t necessarily raise any flags because they’re taken by an authorized user with permission to do so—for example, accessing a cloud service for the first time, logging in from a new region, or modifying your cloud configuration.
What Are the Warning Signs?
Detecting compromised credentials is a challenge because each scenario is different. However, focusing on behavior is a good place to start. When you understand your cloud, its users, resources, applications, and processes, you can identify abnormal activity. For example, if you know an application runs one process every day and connects to one device, but one day you notice that it’s running a new process, that’s an action worth investigating, because it’s unusual for your cloud. In these scenarios, behavioral-based threat-detection solutions are helpful for monitoring your cloud and notifying you when something abnormal occurs.
When there are specific threats you’re aware of, such as AndroxGh0st, there are more likely to be specific warning signs, such as commands that attackers use to disable defenses. Monitoring for commands that disable those defenses can help you detect malicious behavior early on, enabling you to prevent attackers from deploying malware or causing further damage. Commands to look out for in AWS logs include GetSendQuota, CreateUser, CreateLoginProfile, AttachUserPolicy, and DeleteAccessKey.
Avoid Distractions: New Problems Don’t Erase Old Ones
As we continue to encounter new security issues, such as the recent critical OpenSSL vulnerability, Log4j is no longer the primary concern of organizations. But attackers haven’t forgotten about the Apache Log4j zero-day exploit, which affected nearly 44% of worldwide networks, and they won’t for a while. Because so many applications and infrastructure leveraged Apache Log4j when the vulnerability was exploited, the vulnerability only continued to evolve and become more complex. According to Lacework Labs research, Log4j remains a significant threat; 31% of malware infections observed by the Labs team used Log4j as the initial infection vector.
Naturally, we have continued to see bad actors scanning for and exploiting the Log4j vulnerability—mostly thanks to out-of-band application-security testing (OAST). OAST is a method used to discover known, exploitable vulnerabilities in web applications—and OAST tools make this process easier for attackers.
As these tools gain popularity, we expect that attackers will use them to their advantage and continue to look for unresolved Log4j vulnerabilities for months—maybe years—to come. Even if you weren’t originally impacted, it is important to stay on the lookout for ubiquitous software vulnerabilities like Log4j. As new vulnerabilities outshine these existing ones, attackers will try to take advantage of your distraction.
Expect the Unexpected: Attack Techniques Are Constantly Changing
Attackers constantly refine and improve their techniques in an effort to outsmart defenders. Not only do they look for ways to exploit new tools and technologies (as we’ve seen with AndroxGh0st), but they also try to find alternative and more impactful ways to attack popular, well-established software (as we’ve seen with Log4j). Security teams are not ignorant to these strategies; according to Lacework Labs and ClearPath research, 39% of organizations believe the greatest risk they face is that of “known vulnerabilities [they] aren’t aware of.”
I initially became interested in cloud-security research because I was curious about Linux malware and the lack of available information surrounding it. Linux, an open-source operating system, is a prime target for bad actors because it’s the foundation of and integral to many businesses’ operations. The little information available about Linux malware makes it even easier for attackers to deploy it undetected.
Today, Linux malware is becoming more sophisticated. We recently observed Linux malware using steganography, a method for hiding information in a seemingly ordinary medium like an image.
Another instance where we saw improved attack techniques was CVE-2022-26134, a widely exploited zero-day vulnerability in Atlassian’s Confluence Server and Data Center products allowing unauthenticated attackers to execute arbitrary code. This vulnerability is notable because it has been much more widely exploited than previous Confluence vulnerabilities. Known cloud-threat malware families such as Kinsing, Hezb, and the Dark.IoT botnet were quick to exploit this zero-day—and in more evolved ways. Kinsing, for instance, typically leverages legacy infrastructure in attacks; this instance was unique, however, because the attackers used a new malware host (18.104.22.168) for the Kinsing installer.
Accordingly, as malware families such as Kinsing continue to evolve their tactics, it’s critical for defenders to be aware of the indicators of compromise (IoCs) in CVE-2022-26134 and other vulnerabilities—and respond quickly.
Use Technology to Your Advantage
Technology can help you collect, analyze, and prioritize your data faster. But to do so, you need to use the right tools for the right tasks.
Automation should replace repetitive work, such as scanning logs for certain IP addresses. Machine learning (ML) can help identify and prioritize anomalous behavior. Visualization tools can help you sort and understand large data sets to predict an attacker’s path.
Still, regardless of how advanced a tool is, it won’t be accurate or helpful without sufficient data.
Gather and Explore Data to See What’s Happening
To stay ahead of attackers, you need to look at your environment from a risk-based perspective. While patching all vulnerabilities would be ideal, it’s just not possible. You need to think about what your business prioritizes—and which applications and resources have the most potential to do damage if compromised. These are what attackers want to find—the data and systems that keep your organization running. What’s important to you is a target for them.
Knowing which assets attackers might try to compromise and understanding their entry points and techniques can help you identify their attack paths. Attackers look for ways to enter your environment; from there, they try to determine the easiest path to get to the most valuable resource. In addition to looking for secrets and access keys, they also want to find misconfigurations and vulnerabilities from sources such as configuration data, activity-log data, and runtime-data logs.
Knowing where vulnerabilities are and fixing the most critical ones can keep bad actors away from the assets you need the most. The key to finding and prioritizing those vulnerabilities is data. When you have continuous, high-quality data from your environment, you can contextualize abnormal events faster and more accurately.