Credential compromise and misconfiguration woes: More sophisticated threat groups have developed social engineering techniques to the point where they reliably trick targets into helping them to bypass multi-factor authentication (MFA) controls before ransacking compromised cloud-hosted environments.For example, threat actors are using compromised OAuth tokens to bypass MFA and inject malicious code into developer ecosystems via automated CI/CD pipelines, Google’s researchers warn.Google has introduced Verified CRX Upload controls to secure the non-human identities used in these cloud-based build processes as a countermeasure against this vector of attack.Bernard Montel, EMEA technical director and security strategist at Tenable, told CSO that credential compromise and misconfiguration continue to be the “Achilles’ heel of cloud security,” echoing a key finding from Google Cloud’s researchers.Secrets and credentials are routinely mishandled across cloud environments, according to research from Tenable.More than half (54%) of organizations using AWS ECS task definitions and 52% using GCP CloudRun have secrets embedded in configurations. Around 3.5% of AWS EC2 instances contain secrets in user data.”These secrets, often in the form of API keys or tokens, are prime targets for attackers and can lead to full compromise of the environment,” Montel explained.The threat extends beyond ransomware. For example, the Kinsing malware campaign targets Linux-based cloud infrastructure by exploiting misconfigured containers and servers to deploy cryptominers.In some cases, attackers have hidden malware in obscure filesystem locations such as manual page directories in order to evade detection.”These credentials, once compromised, can enable lateral movement and privilege escalation, bypassing traditional perimeter defenses and exposing sensitive data,” Montel added.The North-Korean UNC4899 cluster offers a textbook example of exploitation of the tactic in pursuit of cybercrime, according to ITGL’s Kasabji. “Engineers are wooed over LinkedIn or Telegram, tricked into running malicious containers, and the attackers walk away with long-lived cloud tokens that sidestep MFA entirely,” Kasabji said.
Countermeasures: Identity hygiene and configuration management remain the cloud defender’s first line of defense.Google Cloud’s report advocates robust identity and access management and proactive vulnerability management alongside “robust recovery mechanisms,” checks on “supply chain integrity,” and “continuous vigilance against sophisticated social engineering” attacks.Tenable’s Montel advised: “To counter these threats, organizations must adopt a layered defence strategy: enforce least privilege, secure identities with multi-factor authentication and just-in-time access and continuously monitor for misconfigurations and public exposures.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4033018/ransomware-goes-cloud-native-to-target-your-backup-infrastructure.html
