Even with cloud providers implementing defenses, glaring weaknesses remain

A new report from RedLock offers a look at the threats and vulnerabilities that continue to mount in public cloud computing environments.

Account compromises keep rising

Poor user and API access hygiene, combined with ineffective visibility and user activity monitoring, are causing organizations to be more vulnerable to breaches. For example, 73% of organizations allow the root user account to be used to perform activities – behavior that goes against security best practices. Furthermore, 16% of organizations have user accounts that have potentially been compromised.

The cryptocurrency effect

In many hacks, the goal is to steal data; now, the thieves also hijack compute resources in order to mine cryptocurrencies. The research reveals that 8% of organizations suffer from this strain of criminality, which mostly goes unnoticed because of ineffective network monitoring.

Still a long way from compliance

General Data Protection Regulation (GDPR) goes into effect in a few months, but organizations are far from where they need to be to effectively govern the cloud and ensure compliance. For instance, the analysis shows that 66% of databases are not encrypted.

Spectre, Meltdown and More

The vulnerabilities highlighted in the recent Spectre and Meltdown scares should serve as a wakeup call for organizations to address vulnerability management in the cloud. However, the research demonstrates that 83% of vulnerable hosts in the cloud are receiving suspicious traffic, since many organizations can’t leverage standalone on-premise tools to gain such visibility.

“The message from this research is loud and clear – the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities,” said Gaurav Kumar, CTO of RedLock. “In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: Organizations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough.”

Intrusion into Tesla’s public cloud environment

In the course of their work, RedLock researchers also learned about an intrusion into Tesla’s public cloud environment. In this case the hackers not only gained unauthorized access to non-public Tesla data, but were also stealing compute resources within Tesla’s AWS environment for cryptojacking. The researchers immediately informed Tesla of its findings, and the vulnerabilities have already been addressed.

The Tesla findings build on research from last year, when researchers found that hundreds of Kubernetes administration consoles were accessible over the internet without password protection, and were leaking credentials to other critical applications. In Tesla’s case, the cyber thieves gained access to Tesla’s Kubernetes administrative console, which exposed access credentials to Tesla’s AWS environment. Those credentials provided unfettered access to non-public Tesla information stored in Amazon S3 buckets.

In addition, the cyber thieves performed cryptojacking using Tesla’s cloud compute resources and employed specific techniques to evade detection. For example, instead of the more familiar public ‘mining pool,’ they installed mining pool software and configured the malicious script to connect to an ‘unlisted’ endpoint. That makes it harder for standard IP/domain-based threat intelligence feeds to detect malicious activity. Other tricks included hiding the true IP address of the mining pool server behind CloudFlare, and likely keeping CPU usage low to further evade detection.