- The exposure of API credentials or misconfigured API is one of the most common methods to access clouds.
- When an attacker gets one of the access keys, they use it on a host or platform under their control and execute API calls for malicious action or privilege escalation.
With the transition to cloud environments, organizations are more likely at the risk of data breaches, targeted malware attacks, and more. Consider the recently discovered ‘Cloud Snooper’ attack, which uses a rootkit to sneak malicious traffic through a victim’s AWS and on-premise firewall before dropping a remote access trojan.
While this new attack method has popped up recently, many cybercriminals continue to rely on tried-and-tested methods to gain access to critical assets within organizations such as the following.
The exposure of API credentials or misconfigured API is one of the most common methods to access clouds. When an attacker gets one of the access keys, they use it on a host or platform under their control and execute API calls for malicious action or privilege escalation. Usually, keys are exposed via GitHub, BitBucket, shared images, and snapshots.
The recent data leak of personal data by over 6.5 million Israeli citizens is one such example of these attacks. The leak occurred because the Likud party’s app was linked to an API endpoint which apparently did not have a password. This allowed third-party actors to obtain passwords for admin accounts. The exposure of an API key can also be a mistake of developers such as that happened with Starbuck. If the exposed API key had fallen in the wrong hands, then it would have allowed access to internal systems and manipulate the list of authorized users. A major API leak incident was recorded in March 2019, when a group of academics discovered that over 100,000 GitHub repositories leaked API tokens and cryptographic keys over a period of six months. Some of these API keys were linked to AWS credentials for a major related to college applications in the United States. There were also 564 Google API keys that were part of an online site to skirt YouTube rate limits and download videos.
Misconfigured databases and servers are in large part another reason for risk to data stored in clouds. This misconfiguration often arises due to the lack of passwords or unpatched servers.
Attackers, especially state-sponsored hackers, always look out for well-known vulnerabilities in servers to deploy ransomware and backdoor to mine cryptocurrencies or steal sensitive data. Some of the vulnerable servers that have been widely exploited include the Oracle WebLogic Server, Atlassian Confluence and of late, the Microsoft Exchange email server.
Databases that are not secured with passwords have caused some of the major data leaks worldwide. The recent data leaks include the ones at Decathlon, SlickWrap, Virgin Media, and more.
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery is another growing issue in cloud environments. SSRF is a threat due to the use of metadata API, which lets application access configurations, logs, credentials and other information in the underlying cloud infrastructure. The vulnerability, if exploited, could enable an attacker to move laterally and conduct network reconnaissance.
The recent and infamous data breach at Capital One cites the potentiality of SSRF. The attackers had leveraged SSRF to retrieve AWS credentials that were used later to steal the personal information of over 100 million Capital One customers.
Attackers have begun to craft phishing emails to target users through fake login pages of Office 365 and other cloud applications. Therefore, organizations must take adequate measures to prevent their cloud as well as cloud apps from being hijacked.