Armor Detects and Neutralizes 681 Million Cyberattacks Launched at its Cloud Customers in 2018

Most Frequent Attacks Include Brute-Forcing Passwords, Attacks Against Vulnerable Software, Web Application Attacks and IoT Attacks

If you think that hackers aren’t going after organizations’ data being hosted in the cloud, well think again. Armor, a leading cloud security solutions provider which protects the informational assets of 1,200 cloud clients globally, reported that during 2018 they detected and neutralized over 681 million cyberattacks being launched at its clients.

Armor’s customers are hosting their data in both public cloud environments and in its Virtual Private Cloud, Armor Complete.  While the public hears lots of news reports of misconfigured cloud instances being left exposed on the Internet, the anatomy of many of the attacks deliberately going after cloud environments is not always described. Understanding the type of attacks being launched at cloud customers and how organizations can defend against these threats is vital for organizations looking to host their data in the cloud,  whether in a public or virtual private cloud.

Most Frequent Cyberattacks Detected

Amongst the over 681 million cyberattacks Armor detected and neutralized on behalf of its cloud customers, the four most frequently used attacks which Armor’s security analysts saw were: Attacks against known Software Vulnerabilities, Brute-Force Attacks /Attacks Involving Stolen Credentials, Web Application Attacks (e.g. SQL Injection, Cross Site Scripting,  Cross-Site Request Forgery Attacks, and Remote File Inclusion) and Attacks targeting Internet of Things (IOT).

Targeted Attacks or Attacks of Opportunity?

Armor’s 1,200 clients are primarily spread across the following industry verticals:  Financial/Financial Services, Retail, Healthcare, Insurance,  Software and IT Solution Providers, and Utilities. In studying the over  681 million attacks launched in 2018,  Armor’s intelligence analysts and security researchers believe that all indications are that the vast majority of the millions of attacks observed are ones of opportunity, as opposed to attacks targeting specific organizations.

Armor’s analysts saw a tremendous amount of scanning of its clients’ environments. This is no surprise as scanning activity has become part of the normal noise of the Internet. Armor analysts, however, endeavor not to take this scanning activity for granted. “We have seen that by analyzing the scanning activity we detect, we can break the activity into groups of normal bot activity and likely malicious scanning activity, characterizing the malicious scanning activity to determine their most likely targets, turning the noise into information.” said Corey Milligan, Senior Security Researcher with Armor’s Threat Resistance Unit (TRU). This malicious scanning is often the first step in an attack.  The typical modus operandi for attacks of opportunity include:  scanning the Internet for vulnerable applications or systems that can be compromised, getting an initial foothold into an organization’s IT environment and then looking for databases or other storage containers which might contain sensitive/valuable data (such as customer PII, payment card data or intellectual property).  If none of this data is located then the cybercriminals might hijack the victim’s IT environment and use it as a launching pad for other illicit activities such as sending malicious phishing emails, conducting large spam campaigns, mounting DDoS attacks or utilizing an organization’s computing resources for crypto mining.

Many organizations,  upon hearing that their organization isn’t being specifically targeted by a cybercrime group, assume the risk to them is low and feel justified in not budgeting for anything but the minimum required security controls.  However, that move could prove to be fatal as an attack of opportunity can often be more damaging than a targeted attack, at least in the short term. If entities don’t have a capable, seasoned security team in place watching and defending their IT environment 24 x7, checking their logs and quickly responding to the mirage of cyberattacks being thrown at them, then  cybercriminals, even those seeking crimes of opportunity,  can do a lot of damage. In this report, readers will learn about the most prevalent cyberthreats Armor is detecting, how to defend  against these threats, the data/applications and areas of the cloud, cloud customers are responsible for protecting and what cloud security providers are responsible for defending,  and lastly what cyberthreats Armor’s security experts believe organizations will encounter in  2019.

Brute- Force Attacks /Attacks Involving Stolen Credentials

A Brute-Force Attack is where threat actors attempt to gain unauthorized access by guessing the password using a variety of Brute-Force attacks can be implemented using password guessing based on credential dumps, known password patterns, default credentials and dictionary attacks (attacks which try to guess a user’s password by submitting common words and phrases, as well as any alterations to these words, typically those derived from a list of words such as in a dictionary .  A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords, or simple variants of them).

“Although Brute-Force attacks have been around for a long time, they are surprisingly effective because of the simple passwords people continue to use,” said Milligan.  “Often users enable attackers to compromise multiple accounts by using the same or very similar passwords across their online accounts,” continued Milligan.

According to news reports, online glass retailer Warby Parker was hit by a cybersecurity attack that affected about 198,000 of its customers this past Fall.  Supposedly, threat actors took user credentials obtained from an unrelated hack of another company and used them to access Warby Parker’s customer accounts.

In late November 2018, Dunkin Doughnuts reported that a security incident involving some of their customers’ DD Perks Accounts also suffered an attack using this same modus operandi, whereby account credentials leaked in other breaches, were being used to get access to DD Perks accounts.

How to Protect Against Brute-Force Attacks:

  • Employ Multi-Factor Authentication (MFA) and review MFA settings to ensure that your organization has MFA coverage for all key applications and services.
  • Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords
  • Assess your IT helpdesk password management rules related to initial passwords, password resets for user lockouts, and shared accounts. Your IT helpdesk password procedures may not to line up with your company policy, creating an exploitable security gap.

Attacks Against Known Software Vulnerabilities  

In analyzing the over 618 million attacks launched at its clients in 2018, Armor’s TRU Team  found that many of the  attacks they detected and neutralized were ones where the threat actors targeted known vulnerabilities in software applications.  Like many security organizations, Armor has found that patching these vulnerabilities takes time as customer organizations test them first and work to ensure they install them without causing significant impact to their business. Threat actors are aware of this and often take advantage of it to attack before patches can be deployed. Understanding that patches often cannot be deployed quickly, Armor works to proactively monitor known vulnerabilities and the techniques used to exploit them in an effort to proactively detect and mitigate these attempts.

How Armor Defended its Cloud Customers from the Drupalgeddon Attacks

In 2018, the Drupalgeddon 2/3 vulnerabilities and subsequent attacks were a potent reminder of how threat actors will attempt to exploit the time needed to deploy patches.

On Mar. 21, 2018, Drupal — a popular Content Management System (CMS) — announced a critical vulnerability (CVE-2018-7600) that enabled remote code execution via URL command injection. The vulnerability purportedly impacted over a million websites running Drupal, including major U.S. educational institutions and government organizations around the world.  A patch for the vulnerability was issued March 28. But even months later, there were reports that many websites were still affected.

Once the patch was released,  Armor advised their customers to apply the available patches as soon as possible. Knowing it would take time for organizations to patch, Armor proactively pushed out network signatures and correlation rules based on the Drupalgeddon 2.0 Proof-of-Concept (POC) code that was released to the public two weeks later.   Armor’s security analysts initiated threat hunting activities identifying multiple attempts by threat actors to exploit the Drupal vulnerability to deliver malware.   Through analysis of the malware and continued analysis of the PoC code and other exploit techniques Armor was able to deploy countermeasures that effectively blocked the detected payloads and vulnerability exploits. Through these efforts,  Armor was highly successful in blocking the exploit attempts and containing and eradicating the rest before any damage was done.

How Organizations Can Help Protect Against CMS Attacks

  • Subscribe to notifications for the vendors/developers of your applications so you know when patches are available
  • Apply patches in a timely and measured manner, and monitor logs more closely when you know you have a critical vulnerability that hasn’t been patched
  • Be aware of and make sure you understand the shared responsibility model you have with your cloud provider
  • If you want to be secure, don’t just go with the cheapest cloud provider. Review multiple cloud providers, comparing their shared responsibility models and the security features they offer

Web Application Attacks (e.g. SQL Injection, Cross Site Scripting,  Cross-Site Request Forgery Attacks, and Remote File Inclusion)

Armor saw numerous Web Application Attacks attempted at its customers in 2018, everything from SQL injection attacks to Cross-Site Scripting to Remote File Inclusion Attacks.

SQL Injections Attacks.  This is a common attack tactic that uses malicious SQL code for backend database manipulation so as to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.

Cross-Site Scripting (XSS).  These attacks are where malicious scripts are injected into otherwise harmless and trusted websites. According to the Open Web Application Security Project (OWASP),  XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that enable these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Cross-Site Request Forgery (CSRF).  According to OWASP, CSRF is an attack that forces a computer user to carry out unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), a threat  actor may trick the users of a web application into executing actions of the attacker’s choosing. A successful CSRF attack can potentially  force the user to perform state- changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Remote File Inclusion (RFI) Attacks. This is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. The threat actor’s goal is to exploit the referencing function in an application so as to upload malware (e.g., backdoor shells) from a remote URL located within a different domain.

If an RFI is successful, a threat actor could potentially steal valuable information, compromise servers or take over a website and modify its content.

How to Protect Against SQL Injection, Cross-Site Scripting,  Remote File Inclusion Attacks

  • Adopt secure coding practices
  • Implement secure configuration and administration practices such as shutting down any unnecessary processes and ports and disabling default accounts; ensure that your security and IT teams understand the cloud products your organization is using and do not leave these products open to the Internet; use a separate account for network administrative actions and use different credentials for different administrative accounts associated with different applications
  • Apply security patches in a timely, measured process
  • Implement network security devices, i.e. Web Application Firewalls (WAF) and Network Intrusion Prevention Systems (NIPS)
  • Use a Content Deliver Network (CDN), like Cloudflare
  • Monitor host and network logs for anomalous/malicious activity

Internet of Things (IOT) Attacks

Amongst the top four attacks Armor saw launched against its 1,200 clients in 2018 were attacks targeting “Internet of Things” (IoT) devices.  IOT devices are everyday objects which are connected via the Internet (e.g. routers, cameras, DVRs, thermostats, electronic appliances, alarm clocks, etc.). These devices utilize embedded technology to communicate and interact with the external environment, all via the Internet.

Threat actors scan the Internet looking for open remote administration services so they can identify and then infect thousands of IoT devices with a variety of malware, so as to form a botnet (a group of hacked computers, smart appliances and Internet-connected devices that have been hijacked by cybercriminals for illicit purposes).  The botnet can then be used to blast out malicious phishing emails, send spam, carry out click fraud schemes or launch distributed denial of service attacks (DDoS) at an organization so as to knock them off the Internet.

Computer users might recall Mirai, the infamous malware, which was used to infect thousands of routers and IoT devices in 2016 to form the Mirai botnet which launched several significant DDoS attacks, including one against DNS provider Dyn, an attack that led to almost a quarter of the Internet going down, causing outages in sites including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US.

With IoT devices predicted to reach 20.4 billion by 2020, according to analyst firm Gartner, Milligan says he expects to see an increase in attacks in 2019 targeting  IoT devices because they are such easy prey, and they are so prevalent.   “When setting up and operating a home router, web-enabled appliance, DVR, etc. many users  don’t know or think to  change the default password” said Milligan. In fact, according to a September 2018 study by anti-virus provider Kaspersky,  they found that brute forcing of passwords – repetitive attempts at various password combinations—was used in 93% of attacks launched against IoT devices.

Unfortunately, the use of poor passwords or default passwords, combined with the fact that many manufacturers of IoT gadgets are more focused on ease-of-use and getting their product out to the market as soon as possible then on securing these devices, makes them ripe for attack. Thus, it is critical that organizations implement a robust password management program, employ multi-factor authentication across all key applications and services,  and have security countermeasures to detect and block attacks being launched at IoT devices, as well as detect and neutralize attacks being launched by an IoT botnet, especially  DDoS attacks.  It is imperative that companies have a robust DDoS Mitigation solution so if they should become a target of a DDoS attack then they can quickly mitigate any potential damage from the attack.

Hackers Innovate?  Nah, Not When They Can Rely on the Good Old Standbys

Armor categorized Brute-Force Attacks, Attacks Against Known Software Vulnerabilities, Web Application Attacks (such as SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery and Remote File Inclusion Attacks) among the top four types of attacks, based on volume.  However, these attacks types are certainly not the most sophisticated nor the most lethal.  However, these  attacks are commonly seen because they are “good old standbys” that continue to work, are easy to get their hands on and fairly easy to use. In fact, a cybercriminal can simply rent an exploit kit which contains many attack tools. For example, the older, established Disdain Exploit Kit was charging rental fees beginning at $80 a day, $500 a week and $1,400 a month.  These malicious toolkits contain different types of exploits used to attack vulnerabilities in commonly used software or services, such as Adobe Flash, Java,  WordPress, etc.  The kits are designed in such a way,  making it quite trivial for an average computer user  to successfully attack various vulnerabilities and then distribute malware or perform other malicious activities, such as wiping a victim’s  hard drive. Plus, the criminals selling or renting these Exploit Kits are constantly adding new exploits to their malicious toolkits so this is another reason why it is so important to maintain a regular patch management schedule, so as to keep your software patched against any security holes which could be exploited by hackers.   “Organizations that ignore patching leave themselves open to attacks that can take time and resources away from their business and can cause a lot of damage,” said Milligan.

What  Types of Cyberattacks Will Be Prevalent in 2019?

According to Milligan, the TRU Team  anticipates that the following cyberattacks will trend in 2019:

  • IoT attacks and DDoS campaigns
  • Exploits and attacks targeting Containers and Cloud Services
  • Targeted ransomware
  • Greater levels of sophistication in phishing campaigns

Public Cloud Providers, Cloud Customers—Where Does the Security Buck Stop?

According to an April 2018 report from leading analyst group Forrester, nearly 60% of North American enterprises rely on public cloud platforms. With that being said, it is critical that an organization’s leadership, security and IT teams understand that if they are hosting their applications and valuable data with a public cloud provider, they are responsible for employing the right layers of security to protect it.

Yes, the public cloud does relieve an organization from having to maintain and secure the underlying hardware infrastructure, however, it is not responsible for securing your applications and data from cyberthreats, that is on the customer.  All public cloud providers (i.e., Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform) operate under the shared responsibility model, and each provider’s responsibility model might vary somewhat. However, generally, the cloud customer  is responsible for supplementing the providers’ cloud native security controls with a layer of external security controls.

What Areas of Cybersecurity are Cloud Service Providers (CSPs) Responsible For?

A shared responsibility model for cloud security means the Cloud Service Provider (CSP) is responsible for the security of the cloud. In other words, the organization’s CSP is responsible for securing assets such as:

  • the underlying hardware and assets
  • their global or regional infrastructure footprint
  • the hypervisors on which your compute instances are nested
  • the physical network, and physical security

What Areas of Cybersecurity are Cloud Customers Responsible For?

In turn, the customer, as they utilize the infrastructure-as-a-service as it’s provisioned to them, is responsible for the security in the cloud. This means, customers are expected to secure, among others:

  • their own data, including what they have within their organization and what they’re sharing with customers and business partners
  • the client platforms
  • the applications
  • the identity and access management they provide to their users within the organization.

In addition, the cloud customers are responsible for making sure that operating system, network and firewall settings are configured for optimal security. They are also responsible for their encryption mechanisms, including client-side encryption, server-side encryption and, network-side traffic encryption.

Making sure organizations fully understand the scope of their responsibility, as to what components of the cloud they’re expected to secure, is critical. It will help them determine exactly what controls, mechanisms and frameworks they need to employ to meet regulatory compliance and corporate security objectives, while continuing to innovate and securely grow their business.