Dec 18, 2021
0 0

Convergence Ahoy: Get Ready for Cloud-Based Ransomware

Written by

Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Oliver Tavakoli, CTO at Vectra AI, takes us inside the coming nexus of ransomware, supply-chain attacks and cloud deployments.
The two types of cyberattacks that have dominated the news over the past year have been ransomware, and software and service supply-chain attacks. The former have mainly been perpetrated by criminal enterprises looking to turn a quick profit. In contrast, the latter attacks have primarily been the domain of nation-states looking to expand their information-gathering capabilities.
There’s a good chance these two approaches will start converging — and it’s going to happen in the cloud.
One example of this already happening is the ransomware attack that leveraged Kaseya software – but that was a different kind of supply-chain attack in that the supply chain consisted of the managed security service providers (MSSPs) who were hosting Kaseya software on behalf of their customers. Kaseya itself (unlike SolarWinds) was not hacked, and all the action happened downstream.

Why are ransomware and the supply chain coming together? Historically, what started out as nation-state techniques make their way into pen-testing and red teaming tools and eventually become commoditized in attacks undertaken by hackers seeking profit. There’s no reason to think the same won’t happen in this case; thus, it is useful to consider tools and techniques employed in supply-chain attacks as a harbinger of what is to come to ransomware attacks.
Nation-states have plenty of time and human capital to expend in supply-chain efforts, so the complexity or relatively unknown nature of the environment does not present a significant barrier. In fact, many nation-state attacks involve cloud components — they often mix and match traditional on-prem steps in an attack with steps taken in the cloud.
The SolarWinds hack was a case in point. After hacking into SolarWinds and laboriously crafting and inserting a payload into the Orion software, Cozy Bear (aka the Russian SVR) waited for software updates to go out and the infected Orion servers to call home. What followed from there was a careful selection of high-value targets to pursue. One of the common approaches, which was observed across multiple targets, was that the attackers went on to steal the SAML certificate-signing key. The end goal was to be able impersonate an authenticated user accessing data in Office 365 or other software-as-a-service (SaaS)-delivered applications.
More recently, that same threat actor (referred to by Microsoft as Nobelium) was reported to be hacking  MSSPs, expressly to gain access to administrative account credentials. These were used to create accounts in Azure Active Directory (AD), and then onward to victim’s on-premise AD — the cloud was used again.
This all comes against the backdrop of security monitoring having a particular scope (data center, cloud, federated identity, endpoints, etc.) — overall, security monitoring implemented by most organizations doesn’t do a good job of stitching these scopes together, and that presents another advantage to advanced attackers. As they hopscotch through these areas, they can generally count on any slightly suspicious behavior in one scope not leading to elevated concern in the next.
In contrast, most ransomware attacks that have made the news have been relatively pedestrian. They have used well-known tool chains that are also used by pen-testers and red teams (think Mimikatz, Cobalt Strike, BloodHound, etc.) to perpetrate attacks on relatively traditional IT environments.
There is generally very little reliance on zero-day vulnerabilities (Kaseya being an exception in that the attackers burned a couple of Kaseya VSA server zero-days). When software vulnerabilities are exploited as part of the attack, it’s typically via well-known vulnerabilities for which patches are already available but have not yet been applied by the target. The poster child for this was the EternalBlue exploit in the internal propagation of WannaCry in 2017 – Microsoft released the patch in March, while the large-scale outbreak of WannaCry happened in May.
There is also Willie Sutton’s famous quote when asked why he robbed banks: “Because that’s where the money is.” The migration of data and applications to the cloud which was already well underway at the end of 2019 has been supercharged by the pandemic. And as almost every piece of data of value moves to the cloud, either into SaaS applications or into public-cloud stacks, attackers will undoubtedly follow to the cloud as the pickings for on-premise attacks become slim.
And thanks to the supply-chain attacks, detailed information on how clouds operate and how to attack them is becoming commoditized. So once the money moves to the cloud, the ability to attack there will not be limited to nation states.
With most attacks, there is a question of what the initial point of entry will be and how that initial foothold will be expanded to gain access to valuable data.
We have already seen multiple points of entry to attacks involving the cloud:
Lateral movement (from point of entry to targeted data) in the cloud almost always involves stolen or impersonated credentials, or the leverage of available APIs. Cloud systems come with incredibly powerful APIs – particularly for privileged credentials – which enable attackers to rapidly progress to their ultimate goal.
There are things organizations can do to prepare for these attacks:
And obviously, put strict controls over the data you most care about and practice restoring the data from isolated backups.
Oliver Tavakoli is CTO at Vectra AI.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.
Share this article:
Joker malware was found lurking in the Color Message app, ready to fleece unsuspecting users with premium SMS charges.
The incident occurred last weekend at the popular chain of restaurants, hotels and breweries, which is still facing disruptions.
Analysts warn that the attack group, now known as ‘Earth Centaur,’ is honing its attacks to go after transportation and government agencies.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r…
22 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.


Article Categories:
Cloud Security

Comments are closed.