Over the past year there have been several prominent cyber incidents involving the cloud. These incidents have illustrated the dependency of organizations on the cloud, the vulnerability of the cloud and the motivation of attackers to utilize this to their advantage. But if we look closer we can also identify some lessons that can be learned and implemented by others.
Summary of Major Incidents
On May, Software giant Snowflake was made aware of a cyber incident. Initially it was thought that the attackers sought to hack Snowflake itself, but it was later discovered that they were really after Snowflake clients (more than 160 were targeted)- including Santander Bank, online ticket sales platform TicketMaster, Pure Storage, Advance Auto Parts and AT&T.
In early June Russian Ransomware group Qilin attacked Synnovis – a partnership that provides pathology services to several London-based hospital Trusts. The attack crippled Synnovis IT systems, resulting in interruptions to many of it’s pathology services and creating a ripple effect that severely impacted hospitals and clinics to provide urgent services (resulting in thousands of cancelled and delayed operations and appointments). Later that month, CDK Global, a US-based software company that serves more than 15,000 car dealership across the nation( which in turn, are accounted for more than half of US auto sales) suffered 2 subsequent cyber attacks by hacking group BlackSuit, leaving it’s IT systems crippled and thousands of auto dealerships without access to critical functions such as: Sales Management, Inventory Management, Customer Relationship Management (CRM), Service and Repair Management, Finance and Insurance (F&I), Digital marketing, Data analytics, and Backoffice operations (including accounting, payroll, and human resources). The total damage of these attacks is estimated in billions of dollars.
These are the primary factors that allowed these attacks:
- Credential theft and trade: some of the attacked were conducted using credentials which were stolen in the past by infostealing malware and hacking groups (including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER
- Credential which haven’t been changed for years: some organizations (oblivious to the fact that credentials have been stolen) were still valid long after their theft, in some cases, years after they were stolen, and had not been updated or revoked.
- Reliance on credentials only, without utilizing “allow lists” or MFA: Some customer were not implementing “allow lists” to enable access only from specific locations, IP addresses and domain URLs, making the use of stolen credentials easier. Some impacted accounts were not configured with multi-factor authentication, meaning successful authentication only required a valid username and password.
- Reliance on 3rd party software and services: The hospitals’ reliance on Synnovis for the pathology and blood services, as well as Auto dealerships’ reliance on CDK Global CRM software services made them extremely vulnerable. At least in the case of Synnovis, some hospitals were concerned about their security posture but have failed to act prior to the attack.
In the case of Snowflake customers, some of theme were connected to external contractors who assisted organizations in configuring and operating Snowflake software. These contractors did not seem to adhere to strict security procedures (some of their laptops were also used for personal activities, including gaming and downloads of pirated software). One compromised contractor laptop could have had access to numerous snowflake accounts across multiple customers.
All these factors enabled threat actors to breach multiple organizations; credentials which were not well guarded, accounts with old credential and no MFA, no allow lists and reliance on external contractors and 3rd party software and service providers with lesser security posture. None of these required any formidable “hacking” skills or knowledge in software vulnerabilities and their exploitation.
What can organizations do to secure themselves:
These incidents illustrate several important aspects of modern cloud-based vulnerabilities, that most organizations should take notice of:
- Ease or conducting attacks against cloud-based systems: These attacks did not require high level of proficiency, but rather general knowledge of how organizations neglect basic security and IT procedures. Looking ahead- many more attackers will follow this “path of least resistance” and deploy numerous attacks against such systems.
- Importance of basic Cloud hygiene practices: Poor cloud hygiene and security practices are another factor that amplifies the risk to organizations. If in the past, poor hygiene could have been tolerated because on-prem systems were less accessible to external threats, today these are exposed to the outside world and, as we’ve seen, could easily be manipulated.
- Risks of 3rd parties and supply chain: 3rd parties have always presented risks to organizations, but cloud has exacerbated this risk to phenomenal levels. One contractor with access to several user accounts can seriously compromise the entire organization. One software vendor with antiquated architecture can disable tens of thousands of businesses.
- Importance of employing CDR: Given the immense risks and challenges, it is necessary to employ modern security technologies that could identify and alert against such attacks. CDR (Cloud detection and response) could have identified these attacks. By utilizing behavioural analytics, CDR could have detected anomalous access (even without employing “allow lists”). It would have identified accounts without proper MFA and alert prior to their exploitation. Moreover, combining CDR with breach simulation should have identified that specific accounts were prone to exploitation and allow to remedy the faulty configuration prior to the attack.
How Skyhawk Security Can Help
Skyhawk Security bridges the gap between threat exposure management and threat detection and response with an automated, AI-driven approach. Our adaptive threat detection ensures continuous protection as your cloud architecture evolves, reducing the risk of third-party vulnerabilities.
- Comprehensive Threat Detection: Using AI-powered insights to identify and respond to threats in real-time.
- Automated Remediation: Implementing trusted automated responses to stop breaches before they impact operations.
- Supply Chain Security: Ensuring that third-party vendors meet stringent security standards to prevent single points of failure.
Protect Your Organization
Don’t let your organization fall victim to cyber-attacks. Contact Skyhawk Security today to learn how our advanced solutions can safeguard your IT infrastructure and ensure continuous, secure operations. Subscribe for free today!
