James Condon presented the top 10 threats to cloud security. These included cryptojacking, data leaks from misconfigurations, SSH brute force attacks, data exfiltration by advanced persistent threats, malware like ransomware and coin miners, remote code execution from vulnerabilities, container escapes, server compromises, and malicious insiders. Mitigations involved visibility, access controls, patching, monitoring, and security best practices.

1. TOP TEN THREATS TO
CLOUD SECURITY
PRESENTED BY: JAMES CONDON
APRIL 10TH, 2019
AWS SECURITY WEEK NY

2. AGENDA
whoami
Threatscapes: Enterprise vs Cloud
Top 10 threats to the cloud, examples, and
mitigations

3. whoami
• James Condon, Director of Research @ Lacework
• Former USAF OSI, Mandiant, and ProtectWise
• Network Forensics, Incident Response, Threat Intelligence, Cloud Security
@laceworklabs
@jameswcondon

4. ENTERPRISE VS CLOUD THREATSCAPE
Enterprise Landscape
• Mostly human users
• Laptops, workstations, mobile, on-
prem servers
• Windows, MacOS, Linux, iOS, Andriod,
etc.
• Organizations owns network and
network devices
• Email & Webrowsing
• Traditional security model
Cloud Landscape
• Ops users and automated users
• Ephemeral workloads
• Linux & Windows servers
• Virtual network
• Mostly API network traffic
• Shared Security Model
• DevSecOps & AppSec

5. ENTERPRISE THREAT DETECTION APPLIED TO CLOUD
Enterprise
• Network: IDS, IPS, NetFlow
• Endpoint: EDR, AV, HIDS
• Logging / SIEM
• Threat Intelligence / Hunting
• Behavior Modeling
Cloud
• Network: TLS API traffic, how to tap or
span? VPC flow logs, container &
orchestrator traffic
• Endpoint: EDR and endpoint for
servers and ephemeral workloads
• Containers & Orchestrators
• Log size and retention
• Threat Intel applied to the Cloud
• Applications & Users vs IPs & Hosts

6. TRADITIONAL ENTERPRISE THREAT ACTORS
Criminal APT Hacktivism

7. CLOUD THREAT ACTORS
Criminal APT Hacktivism

9. CRYPTOJACKING

10. CRYPTOJACKING
• Using someone else's compute and
resources to mine cryptocurrencies.
• Started taking off in 2017
• Coinhive started wave of new
techniques to scale
• Could be packaged with or without
malware
• Used in public cloud, browsers, PCs,
IoT, phones, and even Industrial OT
• Monero currently most popular coin
to mine illicitly

11. CRYPTOJACKING EXAMPLE
• MircoK8s Honeypot
• Open APIs & Dashboards
• Attacker scans API
• Adds ReplicaController
• 5 replicas of CentOS w/ curl
commands to DL XMRig & config

13. CRYPTOJACKING MITIGATIONS
• Billing Alerts
• Monitor CPU Usage
• Monitor connections to popular pools
• Update & Patch Apps
• Host Hardening

14. DATA LEAK

15. DATA LEAK
• The exposure of confidential data
through misconfigurations or similar
modes.
• Typically from unsecured DBs like
MongoDB, Elasticsearch, & Redis or
open cloud provider buckets
• Also can include leaking information
that can be leveraged by attackers

17. DATA LEAK MITIGATIONS
• Visibility into internet facing
configurations
• Audit and alert for open storage
buckets
• Enforce authentication for DBs
• Encrypt sensitive data at rest

18. SSH BRUTE FORCE

19. SSH BRUTE FORCE ATTACKS
• Repeated attempts to guess secure
shell username & password
combinations in an attempt to gain
unauthorized access.
• Most common service to brute force
on public cloud workloads
• However, not the only service to
commonly brute force
• Popular infection vector and
propagation method for Linux
malware
• Old tactic, still effective

20. EXAMPLE – BREAD & BUTTER ATTACKS
• Recent Malware campaign
• Begins with brute force SSH
• Add user “butter”
• Downloads RAT
• RAT communicates with CNC
• RAT downloads XMR miner
• Reported by Gaurdicore

21. SSH BRUTE FORCE ATTACKS - MITIGATIONS
• Use key-based authentication vs
password-based authentication
• Restrict access to port 22 (or
whichever port you use) to trusted
clients
• Consider SSH jump boxes to simplify
monitoring, etc
• Alert on successful SSH auth after
series of failed attempts

22. DATA EXFILTRATION

23. DATA EXFILTRATION
• The act of stealing confidential
information from a network.
• Leaks occur from misconfigurations
and accidental exposer, data exfil
occurs after gaining unauthorized
• Most common end objective in the
cyber kill chain
• Typically associated with APT activity,
espionage, and financial gain

24. DATA EXFILTRATION
• Just reported in March 2019, details still sparse
• Breach came from unauthorized access
• Affected Toyota Tokyo Sales Holding Inc. and possibly three other independent dealers
in Japan
• A month prior APT32 launched spear phishing against multinational car companies
• Vietnam reportedly trying to develop its domestic car industry
• No confirmation in the attribution to APT32

25. DATA EXFILTRATION - MITGATIONS
• One of the hardest to protect against
given a determined actor
• Requires fully mature security posture
• Business must understand where
their most valuable information is and
how to monitor and protect it.

26. MALWARE

27. MALWARE
• Any software designed to damage a
computer, server, client, or computer
network.
• RATs, trojans, backdoors,
downloaders, ransomware, etc.
• Recent Linux malware is modular in
nature typically containing backdoor,
propagation, and mining module
• Typical cloud chain of events is exploit
-> install script -> backdoor ->
additional modules
• Shell scripts & ELF binaries for Linux

28. EXAMPLE – BREAD & BUTTER ATTACKS
• Prolific malware family reported in 2018
• Targets Linux & Windows
• Attributed to Iron Group
• Ransomware, coinmining, propagation, and
botnet capabilities
• Self propagation by attacking weak password
and application vulnerabilities
• Ransomware is actually data-destroying (no
recovery), attacks databases in Linux
• Developed in Python
• Reported by Unit42

29. MALWARE - MITIGATIONS
• Applications up-to-date
• Strong passwords
• Endpoint security
• Network monitoring

30. RANSOMWARE

31. RANSOMWARE
• Malware that encrypts files and asked for payment to unlock said files.
• Was very prevalent prior to cryptojacking
• Some ransomware doesn’t unlock files
• Used by criminal and APT groups
• Good security posture can mitigate effects, especially in the cloud

32. BRIEF HISTORY RANSOMWARE
• CryptoLocker – One of the most notable early ransomware families 2013-14
• TeslaCrypt – Targeted video game files in 2016
• SimpleLocker – Targeted Andriod in 2015-16
• WannaCry – One of the first malware families to utilize leaked NSA tools in 2017
• NotPetya – Piggy-backed of the WannaCry wave in 2017
• SamSam – Targeted ransomware-as-a-service in 2015, indictments in 2018
• Ryuk – Targeted ransomware with a big hit in 2018-19

33. LUCKY RANSOMWARE EXAMPLE
• Targets Linux and Windows
• Variant of Satan Ransomware
• Ransomware, coinmining, and propagation modules
• Propagation similar to Xbash
• Files encrypted with “.lucky” extension
• Check out our blog for more details!

34. RANSOMWARE - MITIGATIONS
• Disaster recovery plan – backups etc
• Application up-to-date
• Strong passwords
• Endpoint security
• Network monitoring
• Threat Intelligence
• Know what you are running

35. REMOTE CODE EXECUTION

36. REMOTE CODE EXECUTION
• A vulnerability that allows code to be
executed from a remote attacker.
• A frequent occurrence with so many
technology stacks, new CVEs every
week
• Years old vulnerabilities still a major
issue
• Very common infection vector in the
public cloud

37. REDIS EXPLOIT EXAMPLE
• Honeypot running Redis 2.8.4 on
Ubuntu 14.04
• Redis exposed to open internet (TCP
port 6379)
• Redis quickly exploited by LUA
vulnerability CVE-2015-4335
• Exploit contains payload to download
install script
• Install script downloads backdoor, miner,
kills competitive miners, and set ups
persistence

38. RCE - MITIGATIONS
• Patch early and often
• Control network access to services
• Have incident response plans in place
for 0-days (there will always be new
exploits)
• Reduce size of attack surface
• Minimal code base and OS

39. CONTAINER ESCAPE VULNERABILITY

40. CONTAINER ESCAPE VULNERABILITY
• A vulnerability that allows escape
from a sandbox or container can
mean access to the host operating
system or hypervisor.
• Biggest concern since popularization
of containers
• Containerized applications share host
resources, escape can lead to attacks
on other containers
• Containers less of a sandbox than
VMs

41. RUNC CONTAINER ESCAPE VULNERABILITY
• CVE-2019-5736: Execution of malicious
containers allows for container escape
and access to host filesystem
• First major container escape of its kind
• Root user in container or specially
crafted container could overwrite runc
binary with new binary of their
choosing
• Runc used in most container platforms,
most notably Docker

42. CONTAINER ESCAPE - MITIGATIONS
• 0-days are very rare and difficult to
detect
• Prepare for rapid response to
updating container platforms and
operating system is vulnerability is
announced
• Follow container best practices to
minimize chance of successful escape
• Privileged container policy
• Read-only root filesystem

43. CLOUD SERVER COMPROMISE

44. CLOUD SERVER COMPROMISE
• A server instance from a cloud service
provider that becomes compromised,
for instance, by a malware infection or
unauthorized access.
• An attacker gains access to some or all
of the resources on a given server
• The source of the compromise can
come from insider threats,
exploits/malware, misconfigurations,
and cloud service provider account
compromise

45. CLOUD SERVER COMPROMISE- MITIGATIONS
• Requires complete security posture
• Cloud Service Provider account
security
• DevOps pipeline security
• Run-time security

46. MALICIOUS INSIDER

47. MALICIOUS INSIDER
• Malicious actor with privileged access based on their relationship within the
organization.

48. • IT employee terminated after 4 weeks
• Used former colleges credentials to
access company AWS account
• Terminated 23 servers
• Estimated $700,000 is loses to the
business
• Deleted data was unable to be
recovered

49. INSIDER THREAT - MITIGATIONS
• Internal training & awareness
• Practice least privileges
• 2FA to minimize chances of stolen
accounts
• Plan for when employees leave
• Physical access
• Account access
• Disaster recovery plan

50. FINAL THOUGHTS
• Cloud security is still in its infancy
• Visibility is difficult
• Shared Responsibility Model
• Is cloud security the wild west?
(think M$ in the early days)
• Moving towards more or less secure
model?
• Sec more Dev savvy or opposite?

51. Resources
1. Bread & Butter - https://www.guardicore.com/2018/11/butter-brute-force-ssh-attack-tool-evolution/
2. Xbash - https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-
targets-linux-windows/
3. Top Ransomware Families - https://www.csoonline.com/article/3212260/the-5-biggest-ransomware-attacks-of-
the-last-5-years.html
4. Lucky Ransomware - https://www.lacework.com/elf-of-the-month-new-lucky-ransomware-sample/
5. Anatomy of a Redis Exploit - https://www.lacework.com/anatomy-of-a-redis-exploit/
6. Toyota Data Breach - https://www.cyberscoop.com/toyota-data-breach-japan-vietnam/
7. Runc CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
8. Sacked IT guy annihilates 23 of his ex-employer’s AWS servers -
https://nakedsecurity.sophos.com/2019/03/22/sacked-it-guy-annihilates-23-of-his-ex-employers-aws-servers/

52. james@lacework.com
https://www.lacework.com/blog/
@laceworklabs
@jameswcondon
QUESTIONS