Learn the top 10 cloud security threats, presented by Lacework.

1. TOP TEN THREATS TO
CLOUD SECURITY
PRESENTED BY: JAMES CONDON
APRIL 10TH, 2019
AWS SECURITY WEEK NY

2. AGENDA
whoami
Threatscapes: Enterprise vs Cloud
Top 10 threats to the cloud, examples, and
mitigations

3. whoami
• James Condon, Director of Research @ Lacework
• Former USAF OSI, Mandiant, and ProtectWise
• Network Forensics, Incident Response, Threat Intelligence, Cloud Security
@laceworklabs
@jameswcondon

4. ENTERPRISE VS CLOUD THREATSCAPE
Enterprise Landscape
• Mostly human users
• Laptops, workstations, mobile, on-
prem servers
• Windows, MacOS, Linux, iOS, Andriod,
etc.
• Organizations owns network and
network devices
• Email & Webrowsing
• Traditional security model
Cloud Landscape
• Ops users and automated users
• Ephemeral workloads
• Linux & Windows servers
• Virtual network
• Mostly API network traffic
• Shared Security Model
• DevSecOps & AppSec

5. ENTERPRISE THREAT DETECTION APPLIED TO CLOUD
Enterprise
• Network: IDS, IPS, NetFlow
• Endpoint: EDR, AV, HIDS
• Logging / SIEM
• Threat Intelligence / Hunting
• Behavior Modeling
Cloud
• Network: TLS API traffic, how to tap or
span? VPC flow logs, container &
orchestrator traffic
• Endpoint: EDR and endpoint for
servers and ephemeral workloads
• Containers & Orchestrators
• Log size and retention
• Threat Intel applied to the Cloud
• Applications & Users vs IPs & Hosts

6. TRADITIONAL ENTERPRISE THREAT ACTORS
Criminal APT Hacktivism

7. CLOUD THREAT ACTORS
Criminal APT Hacktivism

9. CRYPTOJACKING

10. CRYPTOJACKING
• Using someone else's compute and
resources to mine cryptocurrencies.
• Started taking off in 2017
• Coinhive started wave of new
techniques to scale
• Could be packaged with or without
malware
• Used in public cloud, browsers, PCs,
IoT, phones, and even Industrial OT
• Monero currently most popular coin
to mine illicitly

11. CRYPTOJACKING EXAMPLE
• MircoK8s Honeypot
• Open APIs & Dashboards
• Attacker scans API
• Adds ReplicaController
• 5 replicas of CentOS w/ curl
commands to DL XMRig & config

13. CRYPTOJACKING MITIGATIONS
• Billing Alerts
• Monitor CPU Usage
• Monitor connections to popular pools
• Update & Patch Apps
• Host Hardening

14. DATA LEAK

15. DATA LEAK
• The exposure of confidential data
through misconfigurations or similar
modes.
• Typically from unsecured DBs like
MongoDB, Elasticsearch, & Redis or
open cloud provider buckets
• Also can include leaking information
that can be leveraged by attackers

17. DATA LEAK MITIGATIONS
• Visibility into internet facing
configurations
• Audit and alert for open storage
buckets
• Enforce authentication for DBs
• Encrypt sensitive data at rest

18. SSH BRUTE FORCE

19. SSH BRUTE FORCE ATTACKS
• Repeated attempts to guess secure
shell username & password
combinations in an attempt to gain
unauthorized access.
• Most common service to brute force
on public cloud workloads
• However, not the only service to
commonly brute force
• Popular infection vector and
propagation method for Linux
malware
• Old tactic, still effective

20. EXAMPLE – BREAD & BUTTER ATTACKS
• Recent Malware campaign
• Begins with brute force SSH
• Add user “butter”
• Downloads RAT
• RAT communicates with CNC
• RAT downloads XMR miner
• Reported by Gaurdicore

21. SSH BRUTE FORCE ATTACKS - MITIGATIONS
• Use key-based authentication vs
password-based authentication
• Restrict access to port 22 (or
whichever port you use) to trusted
clients
• Consider SSH jump boxes to simplify
monitoring, etc
• Alert on successful SSH auth after
series of failed attempts

22. DATA EXFILTRATION

23. DATA EXFILTRATION
• The act of stealing confidential
information from a network.
• Leaks occur from misconfigurations
and accidental exposer, data exfil
occurs after gaining unauthorized
• Most common end objective in the
cyber kill chain
• Typically associated with APT activity,
espionage, and financial gain

24. DATA EXFILTRATION
• Just reported in March 2019, details still sparse
• Breach came from unauthorized access
• Affected Toyota Tokyo Sales Holding Inc. and possibly three other independent dealers
in Japan
• A month prior APT32 launched spear phishing against multinational car companies
• Vietnam reportedly trying to develop its domestic car industry
• No confirmation in the attribution to APT32

25. DATA EXFILTRATION - MITGATIONS
• One of the hardest to protect against
given a determined actor
• Requires fully mature security posture
• Business must understand where
their most valuable information is and
how to monitor and protect it.

26. MALWARE

27. MALWARE
• Any software designed to damage a
computer, server, client, or computer
network.
• RATs, trojans, backdoors,
downloaders, ransomware, etc.
• Recent Linux malware is modular in
nature typically containing backdoor,
propagation, and mining module
• Typical cloud chain of events is exploit
-> install script -> backdoor ->
additional modules
• Shell scripts & ELF binaries for Linux

28. EXAMPLE – BREAD & BUTTER ATTACKS
• Prolific malware family reported in 2018
• Targets Linux & Windows
• Attributed to Iron Group
• Ransomware, coinmining, propagation, and
botnet capabilities
• Self propagation by attacking weak password
and application vulnerabilities
• Ransomware is actually data-destroying (no
recovery), attacks databases in Linux
• Developed in Python
• Reported by Unit42

29. MALWARE - MITIGATIONS
• Applications up-to-date
• Strong passwords
• Endpoint security
• Network monitoring

30. RANSOMWARE

31. RANSOMWARE
• Malware that encrypts files and asked for payment to unlock said files.
• Was very prevalent prior to cryptojacking
• Some ransomware doesn’t unlock files
• Used by criminal and APT groups
• Good security posture can mitigate effects, especially in the cloud

32. BRIEF HISTORY RANSOMWARE
• CryptoLocker – One of the most notable early ransomware families 2013-14
• TeslaCrypt – Targeted video game files in 2016
• SimpleLocker – Targeted Andriod in 2015-16
• WannaCry – One of the first malware families to utilize leaked NSA tools in 2017
• NotPetya – Piggy-backed of the WannaCry wave in 2017
• SamSam – Targeted ransomware-as-a-service in 2015, indictments in 2018
• Ryuk – Targeted ransomware with a big hit in 2018-19

33. LUCKY RANSOMWARE EXAMPLE
• Targets Linux and Windows
• Variant of Satan Ransomware
• Ransomware, coinmining, and propagation modules
• Propagation similar to Xbash
• Files encrypted with “.lucky” extension
• Check out our blog for more details!

34. RANSOMWARE - MITIGATIONS
• Disaster recovery plan – backups etc
• Application up-to-date
• Strong passwords
• Endpoint security
• Network monitoring
• Threat Intelligence
• Know what you are running

35. REMOTE CODE EXECUTION

36. REMOTE CODE EXECUTION
• A vulnerability that allows code to be
executed from a remote attacker.
• A frequent occurrence with so many
technology stacks, new CVEs every
week
• Years old vulnerabilities still a major
issue
• Very common infection vector in the
public cloud

37. REDIS EXPLOIT EXAMPLE
• Honeypot running Redis 2.8.4 on
Ubuntu 14.04
• Redis exposed to open internet (TCP
port 6379)
• Redis quickly exploited by LUA
vulnerability CVE-2015-4335
• Exploit contains payload to download
install script
• Install script downloads backdoor, miner,
kills competitive miners, and set ups
persistence

38. RCE - MITIGATIONS
• Patch early and often
• Control network access to services
• Have incident response plans in place
for 0-days (there will always be new
exploits)
• Reduce size of attack surface
• Minimal code base and OS

39. CONTAINER ESCAPE VULNERABILITY

40. CONTAINER ESCAPE VULNERABILITY
• A vulnerability that allows escape
from a sandbox or container can
mean access to the host operating
system or hypervisor.
• Biggest concern since popularization
of containers
• Containerized applications share host
resources, escape can lead to attacks
on other containers
• Containers less of a sandbox than
VMs

41. RUNC CONTAINER ESCAPE VULNERABILITY
• CVE-2019-5736: Execution of malicious
containers allows for container escape
and access to host filesystem
• First major container escape of its kind
• Root user in container or specially
crafted container could overwrite runc
binary with new binary of their
choosing
• Runc used in most container platforms,
most notably Docker

42. CONTAINER ESCAPE - MITIGATIONS
• 0-days are very rare and difficult to
detect
• Prepare for rapid response to
updating container platforms and
operating system is vulnerability is
announced
• Follow container best practices to
minimize chance of successful escape
• Privileged container policy
• Read-only root filesystem

43. CLOUD SERVER COMPROMISE

44. CLOUD SERVER COMPROMISE
• A server instance from a cloud service
provider that becomes compromised,
for instance, by a malware infection or
unauthorized access.
• An attacker gains access to some or all
of the resources on a given server
• The source of the compromise can
come from insider threats,
exploits/malware, misconfigurations,
and cloud service provider account
compromise

45. CLOUD SERVER COMPROMISE- MITIGATIONS
• Requires complete security posture
• Cloud Service Provider account
security
• DevOps pipeline security
• Run-time security

46. MALICIOUS INSIDER

47. MALICIOUS INSIDER
• Malicious actor with privileged access based on their relationship within the
organization.

48. • IT employee terminated after 4 weeks
• Used former colleges credentials to
access company AWS account
• Terminated 23 servers
• Estimated $700,000 is loses to the
business
• Deleted data was unable to be
recovered

49. INSIDER THREAT - MITIGATIONS
• Internal training & awareness
• Practice least privileges
• 2FA to minimize chances of stolen
accounts
• Plan for when employees leave
• Physical access
• Account access
• Disaster recovery plan

50. FINAL THOUGHTS
• Cloud security is still in its infancy
• Visibility is difficult
• Shared Responsibility Model
• Is cloud security the wild west?
(think M$ in the early days)
• Moving towards more or less secure
model?
• Sec more Dev savvy or opposite?

51. Resources
1. Bread & Butter - https://www.guardicore.com/2018/11/butter-brute-force-ssh-attack-tool-evolution/
2. Xbash - https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-
targets-linux-windows/
3. Top Ransomware Families - https://www.csoonline.com/article/3212260/the-5-biggest-ransomware-attacks-of-
the-last-5-years.html
4. Lucky Ransomware - https://www.lacework.com/elf-of-the-month-new-lucky-ransomware-sample/
5. Anatomy of a Redis Exploit - https://www.lacework.com/anatomy-of-a-redis-exploit/
6. Toyota Data Breach - https://www.cyberscoop.com/toyota-data-breach-japan-vietnam/
7. Runc CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
8. Sacked IT guy annihilates 23 of his ex-employer’s AWS servers -
https://nakedsecurity.sophos.com/2019/03/22/sacked-it-guy-annihilates-23-of-his-ex-employers-aws-servers/

52. james@lacework.com
https://www.lacework.com/blog/
@laceworklabs
@jameswcondon
QUESTIONS