Cryptojacking has unquestionably gone mainstream. Despite heavy media and industry attention, organizations are struggling to meet compliance requirements in public cloud environments, according to RedLock.
On the flip side, there’s evidence that companies are becoming more aware of cloud account compromises and implementing best practices to prevent attacks, but there’s still no shortage of new attack vectors hitting the market.
The mainstreaming of cryptojacking
RedLock previously uncovered hacker infiltrations of public cloud environments owned by Tesla, Aviva and Gemalto. It’s now apparent the practice of stealing cloud compute resources specifically to mine cryptocurrency has accelerated and there are signs that attackers are using advanced evasion techniques for this purpose.
However, even with expectations of greater activity in this area, the numbers are a surprise. Researchers found that 25% of organizations suffered from cryptojacking incidents, a sharp spike representing a 3X increase from the 8% reported in the last quarter. On a related note, 85% of resources were found to have no firewall restrictions on any outbound traffic (up from 80% one year ago). For the record, industry best practices mandate that outbound network traffic should be restricted to prevent accidental data loss or data exfiltration in the event of a breach.
Among other measures, the RedLock strongly recommends that organizations implement a ‘deny all’ default outbound firewall policy, and monitor network activity for any suspicious traffic such as communication with cryptomining pools.
Account compromises fueling new attack vectors
Again, there are indications that organizations are doing more than before to avert cloud account compromises, but dangers new and old certainly remain. Adding to such past issues as leaked credentials in GitHub repositories, unprotected Kubernetes administrative interfaces and web servers—all highlighted in previous RedLock reports—a major new threat vector can be found in public cloud Instance Metadata APIs.
A feature available to public cloud customers, Instance Metadata refers to data about a cloud Virtual Machine (VM) that can be used to configure or manage the running VM—in effect, submitting a query via an API to gain access credentials to the public cloud environment by any process running on the VM. The team identified several ways that hackers might exploit this API, although it is unclear whether any of these methods have been used in the wild. However, just as with the Spectre/Meltdown vulnerabilities of the recent past, the potential impact has a very large blast radius.
The core concern here is that despite the good news, 43% of all organizations have not rotated their access keys in more than 90 days. This is an unacceptable level of exposure. Fortunately, only 20% of organizations allow the root user account to be used to perform activities, a steep drop from the 73% reported last year.
RedLock recommends that enterprises eliminate the use of root accounts for day-to-day operations, enforce multi-factor authentication on all privileged user accounts, implement a policy to automatically force periodic rotation of access keys, and monitor for any anomalous behaviors.
Ensuring the omnipresence of compliance
There’s certainly no shortage of industry standards for cybersecurity: NIST CSF, CIS, PCI DSS, SOC2, HIPAA and GDPR are just some of the acronyms serving up a blizzard of regulations and requirements. RedLock finds a decidedly mixed bag of effort and negligence in an operating environment where anything less than full compliance is essentially not compliance at all.
On the positive side, there is a growing trend toward database encryption, a helpful practice to meet the pseudonymization requirement in GDPR and a best practice in its own right. Barely a year ago, 82% of databases in the cloud were not encrypted; now, it’s 49%. However, on average organizations fail 30% of CIS Foundations’ best practices, 50% of PCI requirements, and 23% of NIST CSF requirements.
RedLock recommends that companies ensure cloud resources are automatically discovered when they are created, and monitored for compliance across all cloud environments; implement policy guardrails to ensure resource configurations adhere to industry standards; and integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve issues.
“We understand why there might be fatigue with endless reports on IT infrastructures that lack adequate security, and there are signs that corporations are stepping up initiatives to minimize vulnerabilities, but there’s definitely more to do,” said Gaurav Kumar, CTO of RedLock. “Cloud computing environments bring tremendous flexibility and great economies of scale, but those advantages are meaningless without top-level security. This is a constant and shared responsibility.”