Cyber attacks in the cloud take less than ten minutes to launch

New research into cyber attacks in the cloud has shown that on average it takes less than ten minutes to launch an attack after first discovering credentials.

The finding concerned targeted attacks, where cyber criminals chose their targets for a specific reason, such as having a misconfiguration in their cloud environment that could be exploited.

Of the ten minutes it took from finding a working credential to launching the attack, five of them were dwell time.

When cyber criminals can enter a cloud environment and launch an attack at such pace, it becomes extremely difficult for defenders to detect the intrusion and prevent the attack from taking place.

During opportunistic attacks - those without a specific target - it took cyber criminals on average less than two minutes to find a publicly exposed credential after scanning for a vulnerability, like a misconfiguration. It then took an average of 21 minutes for them to initiate an attack.

Researchers at Sysdig attributed the speed of attacks to the weaponization of automation, warning that attackers are focusing on identity and access management (IAM) with evolving techniques for credential access, privilege escalation, and lateral movement.

While the time from credential discovery to starting an attack was measured in minutes, the team noted that attackers could need hours to identify a suitable target - depending on motive and visibility.

Getting hold of a secret was highly dependent on the storage location. For example, with AWS S3 buckets, an attacker might have to spend several days searching for a specific public name.

The increasing emphasis on ‘everything as code’ in the cloud environment has contributed to the difficulties defenders face. The report noted: “A syntax error while writing code for appropriate access and privileges could be the only thing standing between you and front‑page news”.

Serverless function code and infrastructure-as-code (IaC) software such as CloudFormation and Terraform were said to be of particular interest to attackers since the files can contain credentials or secrets but might be overlooked by security scans.

What is in your supply chain?

Researchers also considered the state of containers. The nature of the technology - essentially a package to deliver an application with everything required built-in - can make them an ideal delivery mechanism for malicious code. 

After analyzing 13,000 Docker hub images, researchers found 819 were malicious. However, 10% of those were undetectable, thanks to advanced techniques to hide malicious code. Only at runtime could the threat be detected.

Performing a static scan of the contents of a container will only go so far and is not enough to assure safety.

Researchers cited an example of a threat actor that created 11 accounts, all hosting 30 of the same container images. The image itself looked benign but launched a disguised cryptominer when it was run.

A runtime threat detection tool is therefore required, as well as static image analysis and vulnerability scanning. 

What are the targets and what are the goals?

Nearly two-thirds (65%) of cloud attacks target the telecommunications and finance sectors specifically. 

The researchers didn’t comment on why these sectors were targeted so often, but they are among the most valuable in the world, both holding highly sensitive information.

For the telecommunication sector, as well as harvesting personal information, data collected can potentially be used for SIM swapping - effectively taking over a victim’s mobile device and permitting authentication through two-factor authentication (2FA) into other important accounts. 

After the telecommunications and finance sectors, healthcare and defense trailed at 5% and 1%, respectively. The finding surprised researchers, considering the type of data that could be stolen.

Other goals include resource hijacking, where an attacker will seek to quickly monetize an asset by spinning up cryptomining instances and leveraging existing instances to launch new attacks.

Mitigation and trends

Defending against and mitigating attacks requires a multi-pronged approach, researchers said. 

For example, vendors such as AWS will scan GitHub for any AWS credentials and attach a quarantine policy to limit potential damage. According to the report, GitHub is also examing commits for several secret formats and can reject them automatically.

However, it is essential to recognize the determination of a user to bypass protections put in for their safety.

As the cloud continues to move toward everything-as-code and container technologies, complexity will continue to increase, and attackers will take advantage of any mistakes made. 

The report cited the rapid development of new cloud services giving new opportunities to attackers despite continual improvements in security by vendors. Although attack timelines are unlikely to reduce from the pace observed, the attacks themselves will continue to evolve with automation becoming more prevalent.