- Cloud providers implement
- Limited access and access policies
- Access logs
- Ability to require access reason against repudiation
- Attempts to resolve computer security problems through hardware enhancements
- Roots of Trust (RoT): set of functions within TCM that are always trusted by the OS
- Stealing information from other cloud users
- Internal threats where employees copying company data with bad intentions e.g. to trade.
- Most of those breaches are not published & advertised to media.
- Information might include e.g. credit numbers, social security numbers
- Data loss
- Deleting data stored on the cloud through viruses and malware
- ❗ High impact if there are no back-ups
- Attack on sensitive information
- Stealing information about other users e.g. financial data.
- Attacker utilization of cloud infrastructure e.g.
- Using compute power to crack passwords with many password attempts per seconds
- DDoS attacks using cloud computing
- Shadow IT
- IT systems or solutions that are developed to handle an issue but aren't taken through proper approval chain
- Abusing cloud services
- Insecure interfaces and APIs
- E.g. weak authentication
- Insufficient due diligence
- Moving an application without knowing the security differences
- Shared technology issues
- Multi-tenant environments that don't provide proper isolation
- If the hypervisor is compromised, all hosts on that hypervisor are as well
- Unknown risk profile
- Subscribers don't know what security provisions are made behind the scenes.
- Inadequate infrastructure design and planning
- Conflicts between client hardening procedures and cloud environment
- Malicious insiders
- Illegal access to the cloud
- E.g. in US data breach in 2020 a compromised global administrator account has assigned credentials to cloud service principals that allowed malicious access to cloud systems 1
- Virtualization level attacks
- Privilege escalation via error
- Service termination and failure
- Hardware failure
- 💡 Can be mitigated by using more zones in cloud.
- Natural disasters
- 💡 Can be mitigated by using more regions in cloud.
- Weak authentication
- E.g. burden of managing identity both on-premises and on cloud
- Allows compromise on on-premises systems to spread to cloud.
- Allows adding a malicious certificate trust relationship in cloud for forging SAML tokens on-premises.
- E.g. burden of managing identity both on-premises and on cloud
- Compliance risks
- E.g. laws regarding data transfer across borders
- Cloud cryptojacking
- 📝 Hijacking cloud resources to mine for cryptocurrency
- Often targeted on IaaS platforms through malware
- Social engineering attacks e.g. password guessing
- Cross Site Scripting (XSS)
- DNS attacks e.g. DNS poisoning, domain hijacking
- SQL injection to to gain unauthorized access to a database.
- Network sniffing e.g. obtain credentials, cookies
- Session hijacking e.g. cookie stealing
- Cryptanalysis attacks e.g. weak encryption
- DoS (Denial-of-service)
- E.g. In 2020 United States federal government data breach 1
- Also known as XML rewriting attack
- Changes the content of the signed part without invalidating the signature.
- Intercepting a SOAP message and sending/replaying envelope with changed data.
- Happens when an attacker steals a user's cookie to use the application in the name of the user
- Simply CSRF in cloud
- Also known as • cross-guest virtual machine breach • cross-guest VM breach
- Attacker controls a VM on same physical host (by compromising one or placing own)
- Attacker can then take advantage of shared resources (processor cache, keys, ...)
- Can be installed by a malicious insider or an impersonated legitimate user
- 📝 Targets managed service providers (MSPs) and their users
- 📝 Initiated by delivering malware through spear-phishing emails
- Goal is to compromise the accounts of staff or cloud service firms to obtain confidential information
- Flow 2
- Infiltrate the service provider
- Once inside, find system administrator who controls the company jump servers with connection to client networks
- Map victim network and identify sensitive data
- Encrypt and exfiltrate the data either through victim or the service provider
- 🤗 Named after attacks by Chinese cyber spies 2 to MSPs in countries such as UK, USA and Sweden 1
- Done by exploiting a specific BMC vulnerability
- 📝 Bare-metal / firmware level attack
- Allows injecting code/backdoors
- Affects IaaS providers that gives bare-metal access without access to the actual firmware
- Impacting businesses that use bare metal cloud offerings
- Survives client switches (customer customer re-assignments) performed by the provider
- Targets baseboard management controller (BMC) firmware
- Mitigated by IBM through factory firmware reset before re-provisioning hardware to other customers 2
- Allows attacks such as
- permanent denial-of-service (PDoS) on bare metal server
- stealing data from application running on the server
- ransomware attacks
- Revealed by Eclypsium (Firmware protection firm) in 2019 based on IBM SoftLayer cloud services 1
- 📝 Done by using file synchronization services (e.g. Google Drive and Dropbox) as infrastructure
- E.g. as command and control (C&C), data exfiltration, and remote access.
- Makes it hard to
- distinguish malicious traffic from normal traffic
- discover and analyze evidence due to not leaving footprint on endpoint devices
- E.g. Switcher malware 1
- Installs attackers token and moves victim's real token into sync folder folder to be synced
- Victim device is synced to attackers attacker account
- Attacker uses original account token and erase malicious one
- Removes traces of the security breach
- CloudInspect
- Penetration-testing as a service from Amazon Web Services for EC2 users
- CloudPassage Halo
- Automates cloud computing security and compliance controls
- privacy.sexy
- Open-source solution to increase privacy by reducing third party cloud-based data collection
- Can also be used to harden virtual machine images and OSes that are talking to cloud services