Admin credentials are targeted by cybercriminals to improve attacks against cloud servers

September 9, 2021
Admin credentials targeted cybercriminals cloud server cyberattacks

According to Lacework analysts, Docker, Redis, SQL, and SSH have been the main targeted cloud servers in the last three months. 

As reported by Lacework’s 2021 Cloud Threat Report Volume 2, a lot of firms must now count cyber threat actors as their competitors. This is due to these two main reasons: cybercriminals are extending their efforts to profit from extortion and ransoms. They are also working hard to gain profit through stealing data and private information. 

The Lacework Lab investigated the telemetry of consumers and other data to recognize the intensity and growth of security threats against cloud deployments. According to reports, an interesting trend has been found over the past months, concluding the increase in demand to access cloud servers. This information has been gathered through the sale activity of admin credentials up to cloud servers and accounts from the Initial Access Brokers. A continued rise in scanning and exploration of storage buckets, interactive logins, databases, and orchestration systems were as well found through this analysis. 

The tracking method of Lacework Labs is based on the MITRE ATT&CK, a superset of the Windows, macOS, and Linux matrices techniques. The report concluded that these prominent attackers’ tactics, processes, and techniques operated in the last few months. It includes: Execution: Deploy Container [T1610], Persistence: Implant Internal Image [T1525], and User execution: Malicious Image [T1204.003]. 

TeamTNT, a threat actor who steals cloud credentials, open backdoors, mine cryptocurrency, and worms, has also been tracked down by the Lacework analysts throughout the year. Earlier this year, discoveries have been reported that there are contained Docker images carrying the TeamTNT malware in public Docker repositories. This discovery is a result of malicious account occupations. To add, several cases of usage of the Docker Hub secrets are exposed to GitHub to exercise and exploit the malicious images. 


Exploring the cloud servers

In order to detect cloud threats, the reports have analyzed traffic from May 1 to July 1 this year. This analysis identified that the Docker, Redis, SQL, and SSH servers were the most targeted cloud applications and services and have often happened over the last three months. 

To secure cloud environment more accurately, Lacework analysts have suggested taking these steps: 

  1. Proper firewall rules, security groups, and other network controls must be in place and ensure that the Docker sockets are not publicly exposed. 
  2. Base images must come from a reliable upstream source and ensure that it is audited correctly. 
  3. Key-based SSH authentication is executed. 
  4. The access policies set from the console on S3 buckets are not dominated by an automation tool. 
  5. Regular audits must be practised for the S3 policies and automation around S3 bucket creation. 
  6. Avoid exposure to the internet by enabling the protected mode in Redis instances. 
About the author

Leave a Reply