As commercial adoption of cloud technologies continues, cloud-focused malware campaigns have increased in both sophistication and number.
A new report from Cado Security is based on analysis of real-world techniques employed by attackers using honeypot infrastructure. Last year Cado introduced ‘Cloudypots’, a new, more sophisticated, high-interaction honeypot system.
Among the findings are that attackers are increasingly targeting services such as Docker, Redis, Kubernetes, and Jupyter, that require expert technical knowledge to exploit, different from that required for attacking generic Linux servers.
Although cloud-focused attackers aim to exploit various services typically deployed in cloud environments, Docker remains the most frequently targeted for initial access, accounting for 90.65 percent of honeypot traffic when discounting SSH.
The report also shows that identified malware campaigns, such as P2Pinfect, had a wide geographical distribution with nodes belonging to providers in China, the US, and Germany, which shows that regardless of where infrastructure is located, it is still susceptible to Linux and cloud-focused attacks.
Attackers also continue to exploit web-facing services in cloud environments to help them gain access and they invest significant time in hunting for misconfigured deployments of these services.
Cado’s report coincides this week’s CISA cybersecurity advisory, SVR Cyber Actors Adapt Tactics for Initial Cloud Access, revealing what can happen if Cloud Service Providers (CSPs) are compromised.
Matt Muir, Threat Research Lead at Cado Security, says, “This advisory highlights the importance of securing access to CSP accounts and their associated cloud resources. It’s clear that cloud environments are susceptible to various sophisticated techniques, not just commodity malware attacks. In our recent threat report, we discuss some consequences of poor cloud security and provide recommendations for mitigating these scenarios.”
Image credit: VitalikRadko/depositphotos.com