For weeks, cybersecurity experts and government agencies have been urging organisations to enhance their cyber-defenses due to the increased threat of cyberattacks amid Russia’s invasion of Ukraine. That means not only improving detection and response for emerging threats, but also building stronger resilience into infrastructure so that it can better withstand attack. This might be a significant undertaking. After two years of digital transformation during the pandemic, many organisations have a much larger attack surface today than they did pre-COVID.
Cloud resources are particularly vulnerable, as many have been accidentally misconfigured and sit exposed, without protection. As such, online databases and storage buckets could be an attractive target for attackers should fears over cyberattacks escalating beyond the conflict in Ukraine materialise. In fact, researchers have already observed raids on cloud databases in recent weeks, and there are plenty of threat actors out there waiting to take advantage.
The value of the public cloud
Cloud systems are increasingly the bedrock on which digital transformation is built. They provide a relatively low-cost, scalable and flexible way to store and manage data – with a lower management burden for IT, built-in disaster recovery and anywhere, anytime access. As a backend for applications, databases stored in the public cloud could contain:
- Business-critical corporate data
- Personally identifiable information belonging to employees and customers
- Highly sensitive IP and trade secrets
- IT/admin information such as APIs or encryption keys, which could be leveraged in future attacks
It goes without saying that if any of this data found its way into the wrong hands, it could be hugely damaging for a victim organisation, potentially leading to regulatory fines, legal costs, IT overtime costs, lost productivity and sales, customer churn and reputational damage.
The problem with cloud databases
The challenge is that cloud storage and databases are easily misconfigured. And once left exposed, they could be relatively easily found with off-the-shelf internet scanning tools. This exemplifies the challenge defenders have: they need to get security right every time, whereas attackers need only get lucky once.
The challenge is particularly acute given the complexity of modern enterprise cloud environments. Most organisations are running a combination of on-premises and public/private clouds, and investing with multiple providers to spread their risk. One report suggests 92% have a multi-cloud strategy, while 82% are investing in hybrid cloud. It’s difficult for IT teams to keep up-to-speed with the functionality of one cloud service provider (CSP), never mind two or three. And these CSPs are constantly adding new features in response to customer requests. While this provides organisations with a huge set of granular options, it arguably also makes it harder to do the simple things well.
It’s especially problematic for developer or DevOps teams, which often don’t have specialised security training. A recent analysis of over 1.3 million Android and iOS apps, revealed that 14% of those that used public cloud services in their backend were exposing user information via misconfigurations.
As mentioned in a previous article, cloud misconfiguration can take many forms, the most common being:
- Missing access restrictions
- Security group policies that are too permissive
- A lack of permissions controls
- Misunderstood internet connectivity paths
- Misconfigured virtualised network functions
Cloud systems are already being targeted
In the event of an escalation in hostilities, exposed cloud systems would be a natural target. Many are relatively easy to discover and compromise: for example, accounts left open without encryption or password protection. In fact, researchers have already observed some activity of this sort – in this case, targeting cloud databases located in Russia.
Out of a random sample of 100 misconfigured cloud databases, the research found that 92 had been compromised. Some had file names replaced with anti-war messages, but the largest number were completely wiped using a simple script.
The risk to Western organisations is, therefore, of:
Files held to ransom: Recently published intelligence suggests that pro-Russian cybercrime groups are gearing up to attack targets. They may combine hacktivist-style targeting with tactics designed to monetise attacks. The contents of cloud databases have been held hostage many times before.
Destructive attacks: As has already been observed, it’s relatively easy to wipe the contents of cloud databases completely, once accessed. The script detected in recent pro-Ukraine attacks is said to have resembled that used in the infamous “Meow” attacks of 2020.
Data leakage: Before wiping data completely, threat actors may look to analyse it for any sensitive information, and leak that first in order to maximise the financial and reputational damage inflicted on victim organisations.
How to secure your cloud databases
Tackling the cloud misconfiguration challenge is, sadly, not as easy as flicking a switch. However, there are several changes you can make today to help mitigate the risks highlighted above. They include:
- Shifting security left in DevOps, by building automated security and configuration checks into the development process
- Continuously managing configuration settings, with cloud security posture management (CSPM) tools
- Using CSPs’ built-in tools for monitoring and secure management of cloud infrastructure
- Using policy as code (PaC) tools to automatically scan and assess compliance posture in the cloud
- Encrypting sensitive data as standard, so that if access controls are left misconfigured, hackers can’t view what’s inside
As cloud infrastructure grows, so does the cyberattack surface. War or no war, these best practices should be applied to mitigate mounting cyber risk.
Discussion about this post