Threat actors targeting common vulnerabilities in the cloud
Palo Alto Networks has published Volume 7 of its Unit 42 Cloud Threat Report. The report looked at more than 1,300 organisations. It analysed the workloads in 210,000 cloud accounts, subscriptions and projects across all major Cloud Service Providers (CSP), providing a multifaceted view of cloud security to security leaders and practitioners.
With the rate of cloud migration showing no sign of slowing downfrom USD$370 billion in 2021 and predicted to reach USD$830 billion in 2025, threat actors are looking to exploit common issues in the cloud, including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities and malicious OSS packages.
The complexity of managing hybrid and multicloud environments, paired with the fast evolution and growth of cloud workloads, continues to create significant opportunities for adversaries to gain a foothold in the cloud, said Steve Manley, Regional Vice President ANZ at Palo Alto Networks. As organisations store and manage more data in the cloud, the attack surface grows exponentially, often in unknown or improperly secured ways. Threat actors have become adept at exploiting common, everyday issues in the cloud, which is why, unlike previous reports that examined a single threat, this report zooms out to look at the bigger, more expansive problem.
Some of the key findings from the report include:
Cloud users repeat common mistakes, which trigger most security alerts. In most organisations' cloud environments, 5% of the security rules trigger 80% of the alerts.
Organisations have a small set of risky behaviours in their cloud workloads, such as unrestricted firewall policies, exposed databases, and unenforced MFA. Prioritising remediation of these issues can maximise security investments.
Security alerts take too long to resolve. It takes an average of 145 hours (6 days) for security teams to resolve an alert, providing a lengthy window of opportunity for potential adversaries.
Sensitive data in the cloud is at risk. Sensitive data is found in 66% of storage buckets and 63% of publicly exposed storage buckets, and is vulnerable to insider and external threats. The lack of insight into stored information makes it difficult to protect sensitive data from being accidentally leaked.
Leaked credentials are pervasive and central to cloud breaches. 83% of organisations have hard-coded credentials in their source control management systems, and 85% have hard-coded credentials in virtual machines' user data.
Credential access continues to be a common tactic across all cloud threat actors.
MFA is not enforced for cloud users. 76% of organisations don't enforce MFA for console users, and 58% don't enforce MFA for root/admin users, making console access susceptible to brute-force attacks.
Attacks on software supply chains are on the rise. More than 7,300 malicious OSS packages were discovered in 2022, impacting tech giants and other organisations.
Managing code dependencies is challenging. 51% of codebases depend on over 100 open-source packages, and only 23% are directly imported by developers.
Vulnerabilities are introduced by non-root packages, which can pose risks to the entire cloud infrastructure.
Unpatched vulnerabilities are a low-hanging fruit for attacks. 63% of codebases in production and 11% of public cloud hosts have high or critical unpatched vulnerabilities, posing risks to the entire cloud infrastructure.
Organisations should expect the cloud-native attack surface to expand as threat actors find new ways to target cloud infrastructure misconfigurations, APIs, and software supply chains. To enhance security against these threats, the industry will see a shift towards cloud-native application protection platforms (CNAPPs) that provide comprehensive capabilities throughout the application development process. This prediction is underscored by Gartner, which reported a 70% jump in client inquiries regarding CNAPPs from 2021-2022.
"Cloud technologies are maturing, and with cloud usage on the rise, threat actors are becoming smarter and more powerful every day, exploiting hidden weak spots and vulnerabilities," says Sean Duca, VP and Regional Chief Security Officer at Palo Alto Networks.
"The wide adoption of Object Storage Service in the cloud drives risks even higher for businesses in the region, making it faster and easier to compromise the shared software supply chain and ambush large numbers of victims simultaneously," he says.
"For threat actors, the cloud presents an opportunity, and organisations are exposed to risk in countless ways without proper management. Organisations must therefore take a comprehensive platform approach to identify and eliminate threats in real-time before compromising the cloud environment."