Threat actors are getting more adept at exploiting common, everyday issues in the cloud, including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities, and malicious open-source software (OSS) packages. Meanwhile, security teams take an average of 145 hours to solve alerts, with 80% of cloud alerts triggered by just 5% of security rules in most environments.
That’s according to the Unit 42 Cloud Threat Report, Volume 7, which analyzed the workloads in 210,000 cloud accounts across 1,300 different organizations to gain a comprehensive look at the current cloud security landscape. It cited a small set of risky cloud behaviors that are repeatedly observed in organizations, warning that the average time to remediate alerts (roughly six days) provides a lengthy window of opportunity for adversaries to exploit cloud vulnerabilities.
Excessive cloud permissions, weak authentication, public exposure still prevalent
This year’s findings echoed many from previous Unit 42 cloud security reports. Last year’s research, which focused primarily on misconfigured identity and access management (IAM) solutions, found that almost all cloud users, roles, services, and resources grant excessive permissions, leaving organizations vulnerable to attack expansion in the event of compromise. This year’s report found that this continues to be a major issue, particularly when attackers couple excessive permissions with scraping and exploitation of hard-coded credentials. As many as 83% of organizations have hard-coded credentials in their source control management systems, with 85% having hard-coded credentials in virtual machines’ user data, the latest research discovered.
More than half (53%) of cloud accounts analyzed in last year’s research allowed weak password usage and 44% allowed password reuse. This year, Unit 42 found that weak authentication persists. Three-quarters (76%) of organizations don’t enforce MFA for console users, 58% don’t enforce MFA for root/admin users, and 57% don’t enforce symbols in passwords, Unit 42 said.
Publicly exposed cloud resources remain an issue too. Last year, almost two-thirds (62%) of organizations had cloud resources publicly exposed. This year’s data found that 73% of organizations have Remote Desktop Protocol (RDP) exposed to the public internet, 75% have SSH services exposed, and 41% have database services (e.g., SQL Server, MySQL, Redis) exposed. Further, sensitive data was found to exist in 63% of publicly exposed storage buckets.
Software supply chain risks increase as cloud OSS usage evolves
The latest version of Unit 42’s report found that the increasing use of OSS in the cloud heightens supply chain risks. These include the likelihood of depreciated or abandoned software, malicious content, and slower patching cycles. More than 7,300 malicious OSS packages were discovered across all major package manager registries, the report read. While the number of successful exploits by threat actors is unknown, researchers demonstrated several techniques, such as dependency confusion and account takeover, that effectively infiltrated the software supply chain of multiple large tech companies.
Unpatched cloud vulnerabilities low hanging fruit for attacks
Unpatched vulnerabilities pose significant security threat to organizations, exacerbated by OSS and the scale of what organizations need to manage. New vulnerabilities can crop up at any time and, in a cloud environment, a single vulnerability in the source code can be replicated to multiple workloads, posing risks to the entire cloud infrastructure, the report said. This underscores the fact that no matter how secure the underlying cloud infrastructure is, vulnerable applications in the cloud open potential attack vectors.
Nearly two-thirds (63%) of the source-code repositories Unit 42 analyzed have high or critical vulnerabilities, with 51% of those at least two years old. Of the internet-facing services that host in public clouds, 11% contain high or critical vulnerabilities, 71% of which are at least two years old.
Cloud-native application attack surface grows, industry shifts to CNAPPs
Organizations should expect the cloud-native application attack surface to grow as threat actors target the misconfiguration of cloud infrastructure, APIs, and the software supply chain itself, Unit42 said. To guard against these threats, the industry will see a move away from point security solutions to cloud-native application protection platforms (CNAPPs) that offer a full spectrum of capabilities across the application development lifecycle.
“Today’s complex cloud environment has created layers of services and solutions that overlap but don’t always integrate well. Where point solutions struggle is with integrating and scaling across multiple services,” John Yeoh, global VP research, Cloud Security Alliance, tells CSO.
These layers become abstracted to where CNAPP-type solutions provide single source visibility and a centralized control point for security, Yeoh adds. “The attraction with CNAPPs is the ability to manage workloads, control access, and assess risk in a single solution that helps scale and automate security during the full lifecycle of a cloud application and across these complex environments.”
Adding a layer like a CNAPP to manage the complexity layers below is necessary until we need another management layer on top of the CNAPP capabilities, Yeoh says. “CNAPP is a step in the evolution of today’s IT environment.”
Copyright © 2023 IDG Communications, Inc.