Cloud jacking: when the "internet cloud" becomes a target

2020-12-03
-
Author:
Jan Tissler

Without cloud services, many processes in the modern working world would be inconceivable or at least much more complicated. At the same time, "the cloud" is an extremely rewarding target for hackers and blackmailers. Read here what the attack vectors look like and what countermeasures are possible.

Anyone who stores data in the cloud and uses corresponding services may feel particularly secure: surely the providers will do everything they can for IT security? The catch is that the service providers can only ensure that the basic defensive measures are in place. However, they have little influence if the services are set up or used insecurely. And if a company employee accidentally gives out their access data, it's all for nothing: the cloud service is then as secure as a safe with the door left open.

Attack routes and targets

Attacks on these services are known as "cloud jacking", among other things. There are various scenarios that you should be prepared for:

Account takeover through (spear) phishing

A frequently encountered attack pattern is the takeover of a cloud account via "(spear) phishing": users are tricked into handing over their access data. This happens, for example, via fake emails and websites that look confusingly similar to their official counterparts.
Attacks of this kind are now also targeted at specific organizations or even individuals.

Security gaps and incorrectly assigned access rights

Well-known attack tactics are also used. In these cases, the hackers try to infiltrate their code by exploiting incorrectly protected database queries, for example. Or the attack is initially directed at services and tools that are used for the operation or further development of the cloud offering itself.
Last but not least, incorrectly assigned access rights make it all too easy for attackers: if, for example, every employee in the company can and is allowed to do everything in the cloud out of convenience, there is a lot of potential for hackers.

Intercept data traffic

If an attack is successful, it is not always immediately apparent. Data traffic may be intercepted first in order to gather further information. Or the documents and data that can now be retrieved are evaluated and used for the next steps.
In addition, the information provided could be manipulated in order to redirect users to fake sites, inject malware and much more.

Ransomware

So far, ransomware has mainly attacked devices in an internal network, but in principle it can also get hold of data in the cloud. It is then encrypted and only released again for a ransom.
In the past, ransomware was spread as widely as possible in order to make money from the masses. Today, it is often precisely those companies and organizations that are very likely to pay a high ransom that are attacked. The simple calculation: the less an industry can afford downtime due to blocked computers and networks and the higher the turnover, the more at risk it is.

Island hopping

Cloud services also have the potential to become the starting point for "island hopping": In this approach, attackers first take on a smaller target and then move on to another intermediate step until they reach the actual victim.
Therefore, no organization should feel safe just because its own data is not considered as valuable. A prominent example: The momentous attack on the US retail chain "Target" came via a service provider for heating and ventilation systems.

Countermeasures for companies

Countermeasures mainly revolve around closing or at least strongly securing key gateways:

  • First and foremost, this includes the company's own employees: They must always be kept up to date about the impending dangers and current developments. Ideally, scenarios such as a phishing email or a phishing call should be played out directly.
  • It is also important to clearly define internal processes: Who is allowed to release what information and to whom?
  • The right tools should be available, such as up-to-date virus protection.
  • With regard to the cloud itself, it is crucial to check the configuration regularly. As mentioned above, this also includes the access rights.
  • Multi-factor login should be a matter of course.
  • Depending on the service, access can also be restricted to certain IP addresses so that it can only be used via the company's own VPN tunnel.
  • Furthermore, these rules should not only apply within your own company, but also to partners - no matter how small and harmless they seem.

Last but not least, every company needs a contingency plan in case something does go wrong. Data in the "internet cloud" should be encrypted accordingly and cloud data should not only be available once: a backup strategy is also part of this.