This post is also available in: 日本語 (Japanese)
Cloudy with a Chance of Entropy
The term “cloud” has been popular in the business lexicon since 2006 when Amazon Web Services (AWS) launched its Elastic Compute Cloud (EC2). The latest Cloud Threat Risk Report from Unit 42, which was released today, shows that organizations continue to struggle with securing public cloud platforms some 13 years after the launch of EC2. The report highlights key insights on cloud threats based on intelligence gathered from multiple data sources between January 2018 and late June 2019.
Among other findings, the report shows:
- Shortcomings in on-premises patching habits are carrying over to the cloud. Unit 42 found more than 34 million vulnerabilities in customer applications running across various cloud service providers (CSPs). These vulnerabilities originate from the applications customers deploy to CSP infrastructure, such as outdated Apache servers and vulnerable jQuery packages. Researchers identified:
- 29,128,902 vulnerabilities in customer applications running on Amazon EC2
- 1,715,855 in customer applications running on Azure Virtual Machine
- 3,971,632 in customer applications running on GCP Compute Engine
Patching is a struggle, as many standalone vulnerability management tools lack cloud context and remain scattered across multiple consoles. Organizations need to consolidate tools in order to create a cloud-centric view.
- Default and unsecured container configurations are rampant. Unit 42 research reveals more than 40,000 container systems operate under default configurations. This represents nearly 51% of all publicly exposed Docker containers. Many of the systems identified allowed for unauthenticated access to the data they contained. We recommend at least placing every container with sensitive data behind a properly configured security policy or an external-facing firewall that prevents access from the internet.
- Cloud complexity is yielding low-hanging fruit for attackers. Regarding publicly disclosed cloud security incidents, 65% were the result of misconfigurations. Organizations that had at least one Remote Desktop Protocol (RDP) service exposed to the entire internet amounted to 56%, despite the fact that all major cloud providers natively give consumers the ability to restrict inbound traffic. This represents an opportunity to consolidate cloud-based network controls with well-established on-premises management systems.
- Malware has extended its reach to the cloud. Unit 42 found 28% of organizations communicating with malicious cryptomining C2 domains operated by the threat group Rocke. We have been closely tracking the group and noted the group’s unique tactics, techniques and procedures (TTPs), giving them the ability to disable and uninstall agent-based cloud security tools. Timely and consistent patching schedules for cloud-based systems are an expedient way to slow similar malware threats.
Download the latest “Threat Forecast: Cloudy with a Chance of Entropy” for more security insights as well as actionable recommendations to protect your cloud environment.