Cloud misconfiguration issues have lately touched new heights as more and more data is exposed to the public. Poorly configured cloud services can and will be abused by attackers. The latest research by Palo Alto Network's Unit 42 reveals some scary facts.
About the research
The researchers used a honeypot infrastructure containing 320 nodes and deployed it globally. They misconfigured the primary services within the cloud, including RDP, SSH, Postgres database, and SMB. The research evaluated the frequency, time, origins of the attacks and was conducted between July and August.
What did they find?
Around 80% of the honeypots were compromised within 24 hours and the rest were compromised within a week.
SSH accounted for the most attacked application. The most attacked SSH honeypot was compromised 169 times in a single day.
Each honeypot was compromised 26 times on a daily basis.
One attacker compromised 96% of the researchers’ 80 Postgres honeypots within 30 seconds.
Why does this matter?
It is shocking that threat actors found and compromised the honeypots in a matter of minutes. This research clearly evinces the threats faced by insecure and exposed cloud services. When a misconfigured database is left open to the internet, it takes the attackers only a few minutes to find and exploit the service.
What did we learn from this?
Avoid common cloud configuration mistakes. Implement a guardrail that would prevent privileged ports from being open. The researchers also recommend creating automated response and remediation strategies to address misconfiguration issues and implementing state-of-the-art firewalls to block malicious traffic.