If you think that hackers aren’t going after organizations’ data being hosted in the cloud, well think again. Armor, a leading cloud security solutions provider which protects the informational assets of 1,200 cloud clients globally, reported that during 2018 they detected and neutralized over 681 million cyberattacks being launched at its clients.
Armor’s customers are hosting their data in both public cloud environments and in its Virtual Private Cloud, Armor Complete. While the public hears lots of news reports of misconfigured cloud instances being left exposed on the Internet, the anatomy of many of the attacks deliberately going after cloud environments is not always described. Understanding the type of attacks being launched at cloud customers and how organizations can defend against these threats is vital for organizations looking to host their data in the cloud, whether in a public or virtual private cloud.
Amongst the over 681 million cyberattacks Armor detected and neutralized on behalf of its cloud customers, the four most frequently used attacks which Armor’s security analysts saw were: Attacks against known Software Vulnerabilities, Brute-Force Attacks /Attacks Involving Stolen Credentials, Web Application Attacks (e.g. SQL Injection, Cross Site Scripting, Cross-Site Request Forgery Attacks, and Remote File Inclusion) and Attacks targeting Internet of Things (IoT).
Armor’s analysts saw a tremendous amount of scanning of its clients’ environments. This is no surprise as scanning activity has become part of the normal noise of the Internet. Armor analysts, however, endeavor not to take this scanning activity for granted. “We have seen that by analyzing the scanning activity we detect, we can break the activity into groups of normal bot activity and likely malicious scanning activity, characterizing the malicious scanning activity to determine their most likely targets, turning the noise into information.” said Corey Milligan, Senior Security Researcher with Armor’s Threat Resistance Unit (TRU). This malicious scanning is often the first step in an attack.
The typical modus operandi for attacks of opportunity include: scanning the Internet for vulnerable applications or systems that can be compromised, getting an initial foothold into an organization’s IT environment and then looking for databases or other storage containers which might contain sensitive/valuable data (such as customer PII, payment card data or intellectual property). If none of this data is located then the cybercriminals might hijack the victim’s IT environment and use it as a launching pad for other illicit activities such as sending malicious phishing emails, conducting large spam campaigns, mounting DDoS attacks or utilizing an organization’s computing resources for crypto mining.
Many organizations, upon hearing that their organization isn’t being specifically targeted by a cybercrime group, assume the risk to them is low and feel justified in not budgeting for anything but the minimum required security controls. However, that move could prove to be fatal as an attack of opportunity can often be more damaging than a targeted attack, at least in the short term. If entities don’t have a capable, seasoned security team in place watching and defending their IT environment 24 x7, checking their logs and quickly responding to the mirage of cyberattacks being thrown at them, then cybercriminals, even those seeking crimes of opportunity, can do a lot of damage.
In analyzing the over 618 million attacks launched at its clients in 2018, Armor’s TRU Team found that many of the attacks they detected and neutralized were ones where the threat actors targeted known vulnerabilities in software applications. Like many security organizations, Armor has found that patching these vulnerabilities takes time as customer organizations test them first and work to ensure they install them without causing significant impact to their business. Threat actors are aware of this and often take advantage of it to attack before patches can be deployed.