Unit 42 (the Palo Alto Networks threat intelligence team) released the Unit 42 Cloud Threat Report, 2H 2020, revealing risks to global enterprises adopting cloud workloads.
Key findings
- Unit 42 researchers demonstrate the impact of cloud misconfigurations
- During a Red Team exercise with a customer, Unit 42 discovered two critical AWS misconfigurations in less than one week that could have led to a multi-million dollar data breach. Palo Alto Networks helped the customer remediate the issue.
- Cryptojacking is a growing cloud threat for organizations
- 23% of organizations globally that maintain cloud infrastructure are affected by cryptojacking (up from 8% in February 2018) — and poorly configured environments are most at risk. Canada, in particular, ranks fourth among the top countries where mining pools are connected to cloud organizations. (Canada only)
- Poor cloud security hygiene plague organizations
- 62% of global organizations run GCP workloads with admin privileges; 47% of global organizations on AWS workloads don’t have MFA enabled for users. Both are avenues for attackers to infiltrate an organization and wreak havoc.
- 74% of EMEA organisations are displaying poorer cloud identity
- 74% of EMEA organisations are displaying poorer cloud identity hygiene by using Google Cloud to run workloads with admin privilege (compared to Americas: 58%)
Executive Summary
Cloud is poised to become the dominant way that organizations store their data and manage applications. Our own data shows 46% of organizational workloads are already there, with the figure likely to grow to 64% in the next 24 months. To better understand the threat landscape associated with this rapid shift, Unit 42 researchers focused deeply on identity in the cloud. They analyzed methods that attackers use to silently perform reconnaissance operations, as well as common threat actors. Researchers also carefully identified steps organizations can take to build a cloud security program based upon identity best practices. The research took place between May and August 2020 and was global in scope—spanning terabytes of data, thousands of cloud accounts, and more than 100,000 GitHub code repositories. Overall, the findings indicate that identity misconfigurations are prevalent across cloud accounts and represent a significant security risk to organizations, which can lead to costly data breaches.
Cloud Identity Flaws Are Difficult to Detect
During a Red Team exercise, Unit 42 researchers were able to use a customer misconfiguration to compromise an entire Amazon Web Services (AWS®) environment, with thousands of workloads, in less than one week. They were able to do this by exploiting a single misconfigured IAM trust policy. With this flaw, an attacker could launch any number of attacks against an organization, including denial-of-service (DoS) and ransomware, or even open a door for an advanced persistent threat (APT) adversary. Because identity defects are difficult to detect, especially at scale, many go unnoticed by organizations until it’s too late.
Identity Misconfigurations Lead to High-Impact Failures
In the same Red Team exercise, Unit 42 researchers identified an IAM role used by hundreds of users, which they were able to compromise. This allowed them to achieve administrative access outside of the development area. Once outside of development, the misconfigured IAM role allowed researchers to identify and hijack a legitimate administrator account and establish full administrative control over the entire cloud environment. With the “keys to the kingdom,” attackers could launch any number of attacks against an organization, such as stealing sensitive data or wiping out the entire infrastructure.
JAPAC and EMEA Organizations Display Poor Cloud Identity Hygiene
Unit 42 researchers found that 75% of organizations in Japan and Asia-Pacific (JAPAC) as well as 74% of organizations in Europe, the Middle East, and Africa (EMEA) are using Google Cloud to run workloads with admin privileges. By contrast, only 54% of organizations in the Americas run with the same type of privileges. It is a best practice to run workloads with the principle of least privilege—limiting permissions for users to the bare minimum they need. If an attacker is able to compromise a workload with admin privileges, they would gain the same level of elevated access. This provides an easy path for attackers to use cloud resources to perform attacks, like cryptojacking operations, at the expense of the organization.
Cryptojacking Remains a Persistent Threat for Organizations
Unit 42 research shows cryptojacking affects at least 23% of organizations globally that maintain cloud infrastructure—a sharp rise from the 8% that researchers observed in February 2018. The mining pools connected to by cloud organizations are more often located in the United States, with 69% of all public mining traffic being directed to US systems. This is due to the majority of the Monero nodes being hosted on US systems. Monero is a popular cryptocurrency used in cryptojacking operations.
