Cloud Jacking: When the «internet cloud» becomes a target03-12-2020 Author: Jan Tissler
Without cloud services, many processes in the modern working world would be inconceivable or at the very least much more complicated. And yet, «the cloud» is an extremely valuable target for hackers and blackmailers. Read here to learn what the attack routes look like and which countermeasures can be implemented.
Anyone who stores data in the cloud and uses the corresponding services probably feels pretty secure: surely the providers will take care of IT security? The problem is, service providers can only ensure the basic defense measures are in place. Beyond that, they have little influence over how the services are set up and whether they're used insecurely. And if a company employee were to accidentally disclose their login details, it will have all been in vain. At that point, the cloud service is as secure as a safe with an open door.
Attack routes and targets
Attacks on these services are also known as «cloud jacking». There are different scenarios users need to be prepared for:
Account takeover through (Spear) Phishing
One frequently encountered attack pattern is the takeover of cloud accounts through «(spear) phishing», whereby users are tricked into giving up their login details. This happens, for example, via fake emails and websites that look confusingly similar to their official versions.
Attacks of this type are now also being aimed at specific organizations or even individuals. More on this in this post.
Security gaps and incorrectly assigned access rights
It is also common for more well-known attack tactics to be used. In these cases, hackers try to smuggle in their code, for example by exploiting poorly protected database queries. Or the attack may be initially aimed at services and tools used for the operation or further development of the cloud offering itself.
Last but not least, incorrectly assigned access rights make it all too easy for attackers; if, for example, all of the company's employees are allowed to do everything in the cloud for reasons of convenience, hackers will have ample room to move.
Interception of data traffic
A successful attack won't always be immediately noticeable. The data traffic may be listened to first in order to collect further information. Or the documents and data that can now be called up will be evaluated and used for next steps.
In addition, the information provided could be manipulated in order to redirect users to fake pages, to slip in malware and much more.
Ransomware, on the other hand, until now has mainly been used to attack devices in an internal network, but can just as well get hold of data in the cloud. This will then be encrypted and only released for a ransom.
In the past, ransomware would be spread as widely as possible in order to extract money from a larger crowd of victims. Today, it is often the attacked companies and organizations themselves that are most likely to pay high extortion fees. The simple calculation is that the less an industry can afford downtime due to blocked computers and networks, and the higher the turnover, the greater the risk.
At the same time, cloud services have the potential to become a starting point for island hopping: In this approach, attackers initially set themselves a more modest target, then proceed to another intermediate step, until eventually reaching the actual victim.
Therefore, organizations shouldn't feel safe just because their own data is not necessarily considered valuable. A prominent example: The momentous attack on the US retail chain «Target» came in through a service provider for heating and ventilation systems.
Countermeasures for companies
Countermeasures are primarily about closing essential gateways or at the very least strongly securing them:
- First and foremost, this includes your own employees: They must always be kept up to date on the impending dangers and current developments. Ideally, scenarios such as phishing emails or phishing calls should be directly simulated.
- It is also very important to clearly define internal processes: who is allowed to release what information and to whom?
- The right tools should be available, such as up-to-date virus protection.
- Regarding the cloud itself, it is crucial to regularly check its configuration. As mentioned above, this also includes access rights.
- Multi-factor login should be a matter of course.
- Likewise, depending on the service, access to certain IP addresses can also be restricted so that they can only be used via the company's own VPN tunnel.
- In addition, these rules should be applied not only within your own company, but also with partners – no matter how small and harmless they may seem.
Last but not least, every company needs an emergency plan just in case something goes wrong. The data in the «Internet cloud» should be encrypted accordingly and cloud data should be available in more than one location: a backup strategy is also important here.