Over a quarter of cloud loads have been compromised by cryptojackers

Audit of cloud workloads finds misconfiguration remains rife – and cybercriminals are taking advantage

Credit: ID 114230736 © Setiawanarief111 | Dreamstime.com

Businesses have moved millions of applications to public cloud platforms but many of those environments are riddled with vulnerabilities that make them easy prey for cybercriminals, cybersecurity experts are warning after a new audit found fully 28 percent of cloud workloads have been taken over by cryptomining malware.

The technical review, which examined workloads hosted on a range of cloud platforms, was conducted by Palo Alto Networks’ Unit 42 security intelligence division and confirmed that human error, predominantly, had left sensitive data vulnerable to more than 34 million vulnerabilities in installed systems.

Unpatched or misconfigured Apache servers, jQuery packages and other applications had left 29.13m vulnerabilities on Amazon EC2 cloud systems, 3.97m vulnerabilities on the Google Cloud Platform Compute Engine, and 1.72m vulnerabilities in Microsoft’s Azure Virtual Machine.

“Patching is a struggle,” the analysis noted, “as many standalone vulnerability management tools lack cloud context and remain scattered across multiple consoles.”

Misconfigurations were a major problem for the examined cloud-based platforms, with 65 percent of publicly-disclosed cloud security incidents due to misconfigurations.

The prevalence of such misconfigurations – which suggest security practitioners are simply repeating their on-premises mistakes in on-cloud workloads – has been repeatedly flagged by the likes of IBM and Gartner, which noted that, through 2020, 80 percent of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft.

More than 40,000 cloud-hosted Docker containers – representing 51 percent of all publicly-exposed containers – had been set up and left operating with default configurations, with many allowing access to their data even for unauthenticated users.

Fully 56 percent of workloads had at least one Remote Desktop Protocol (RDP) service exposed to the Internet, leaving cloud users open to exploitation by any of a broad range of remote-desktop exploits – which are routinely used to gain access to remote systems without authentication.

One recent RDP exploit is so bad that Microsoft and the US National Security Agency, among others, have pleaded for systems administrators to patch the hole to avoid a repeat of the 2017 WannaCry ransomware attack.

Yet while Unit 42’s analysis highlighted the persistent vulnerabilities found across popular cloud environments, the strong penetration of cryptomining malware confirmed that cybercriminals are actively seeking and exploiting these vulnerabilities.

Nearly a third of examined cloud workloads were communicating with malicious cryptomining command-and-control domains run by cybercriminal group Rocke.

“Timely and consistent patching schedules for cloud-based systems are an expedient way to slow similar malware threats,” the firm advised.

Security vendors have rushed to help customers improve their cloud security, with Barracuda Networks, for example, recently extending its Barracuda Cloud Security Guardian policy manager to Azure.

Yet 77 percent of public-cloud adopters continue to rely on built-in security, CyberArk noted in its recent Global Advanced Threat Landscape Report 2019.

“This kind of attack is the realisation of one of the most feared breaches and is a real nightmare for both cloud vendors and customers,” said Lavi Lazarovitz, Security Research Group Manager at CyberArk Labs in a statement.

“Customers have no visibility to an attack starting from the cloud vendor side of the infrastructure, so when the attackers hit, it can be devastating.”

Tags cloud securityCloud Platformscybercriminals

Show Comments