In Half 1 of our tales of real-world cloud assaults, we examined real-world examples of two frequent cloud assaults. The primary ranging from a software-as-a-service (SaaS) market, demonstrating the breadth of potential entry vectors for cloud assaults and the way it can allow lateral motion into different cloud assets, together with an organization’s AWS surroundings. The second cloud assault demonstrated how attackers take over cloud infrastructure to inject cryptominers for his or her revenue.
As we’ve got witnessed, extra assaults have moved onto the cloud, so it was solely a matter of time earlier than ransomware assaults did, too. Let’s take a look at two eventualities the place attackers leveraged ransomware to achieve income, and the way distinctive cloud capabilities helped victims keep away from paying the ransom.
MongoDB Ransomware Demand Mitigated
The primary case (or relatively instances, as this assault has appeared quite a few occasions) is the infamous MongoDB ransomware, which has been ongoing for years. The assault itself is straightforward— attackers use a script to scan the web (and now, frequent cloud vendor deal with areas) for hosts operating MongoDB uncovered to the web. The attackers then strive to connect with the MongoDB with the empty admin password. If profitable, the assault erases the database and replaces it with a double ransomware notice: pay, and your information might be returned; do not pay, and your information might be leaked.
Intervention was obligatory to deal with the second a part of the extortion scheme: information leakage. Fortunately, the corporate had information backups, so restoration was simple, however the database contained appreciable quantities of personally identifiable info (PII), which, if leaked, could be a significant disaster for the corporate. This pressured them into the place of both paying a hefty ransom or coping with the press. MongoDB default logging, sadly, can’t present a definitive reply relating to the information accessed, as not all potential varieties of information assortment instructions are logged by default.
That is the place the cloud infrastructure grew to become a bonus. Whereas MongoDB could not log each command, AWS logs the visitors going out and in of servers, as a result of it prices for community prices. Correlating the community visitors going out of the attacked server with the occasions when the attackers have been related to the compromised MongoDB server offered proof that the information couldn’t have been downloaded by the attackers.
This allowed the corporate to keep away from paying the ransom and ignore the risk. As anticipated, nothing additional was heard from the attackers.
Mitigating Ransomware in a Cloud Surroundings
One other firm skilled an assault on its most important servers operating on AWS EC2, the place it was hit by a ransomware Trojan, not in contrast to these seen on on-premises servers. As usually happens nowadays, this was one other double-extortion ransomware assault and the corporate wanted assist coping with each points.
Fortunately, as a result of firm’s cloud structure and preparedness, there have been AWS snapshots of the surroundings going again 14 days. The attackers have been unaware of the snapshots and had not disabled them of their assault. This allowed the corporate to instantly revert to the day earlier than the information encryption, resolving the primary a part of the assault with minimal effort. That also left two challenges to take care of: the potential information leak and the eradication of the attackers from the surroundings.
To deal with these challenges, there was a full investigation of the breach, which turned out to be fairly advanced as a result of hybrid nature of their surroundings. The attackers compromised a single account with restricted entry, utilized by an IT particular person. They then recognized a legacy on-premises server the place that particular person was an admin and used it to take over the Okta service account, permitting privilege escalation. Lastly, utilizing a decommissioned VPN service, they have been in a position to hop to the cloud surroundings. Utilizing the elevated privileges, they took over the EC2 servers and put in the malware.
The investigation yielded two vital findings. The primary was the assault timeline. It confirmed that the compromise of all hosts occurred earlier than the earliest snapshots have been taken, indicating that the recovered servers have been compromised and couldn’t be used. New servers have been put in, the information was transferred to them, and the unique affected servers have been purged.
The second discovering was much more shocking. Malware evaluation recognized that the attackers used rclone.exe to repeat the recordsdata to a distant location. The connection credentials have been hardcoded within the malware, so the corporate was ready to connect with the identical location, determine, and take away their recordsdata, eliminating the attackers’ entry to the recordsdata, eradicating the extortion facet of the assault.
Cloud Breaches Are Right here to Keep
As these real-life eventualities reveal, attackers are infiltrating the cloud and cloud breaches are on the rise. It is time for organizations to arrange for cloud incidents. Cybercriminals are leveraging cloud capabilities in assaults, and you must use them, too, to guard your group and forestall a disaster from hitting the headlines.