Armor, a leading global cloud security provider, reported that during 2018 it detected and neutralized over 681 million cyber attacks launched at its 1,200 cloud customers. Armor’s customers are in the Financial, Retail, Healthcare, Insurance, Software and Utility industries, and they are hosting their data in both public cloud environments and in its Virtual Private Cloud, Armor Complete.
While we hear lots of news reports about misconfigured cloud instances, we do NOT hear about the tens of thousands of “very deliberate” cyber threats being launched at cloud workloads every day. In analyzing its customers’ attack traffic, Armor’s Threat Resistance Unit (TRU) security research team found the following:
Hackers Scanned Armor’s Clients Looking for Vulnerable Apps and Systems
Armor’s intelligence analysts and security researchers believe the vast majority of the millions of attacks they neutralized were ones of opportunity, as opposed to attacks targeting a specific client, as they saw a tremendous amount of scanning of their clients’ environments.
This is no surprise as scanning activity has become part of the normal noise of the Internet. “We have seen that by analyzing the scanning activity we detect, we can break the activity into groups of normal bot activity and likely malicious scanning activity, characterizing the malicious scanning activity to determine their most likely targets, turning the noise into information.” said Corey Milligan, Senior Security Researcher with Armor’s Threat Resistance Unit (TRU).
The typical modus operandi for attacks of opportunity include: scanning the Internet for vulnerable applications or systems that can be compromised, getting an initial foothold into an organization’s IT environment and then looking for databases or other storage containers which might contain sensitive/valuable data (such as customer PII, payment card data or intellectual property).
Most Frequent Cyber Attacks Detected
Amongst the over 681 million cyber attacks, the four most frequently seen attacks were:
- Attacks against known Software Vulnerabilities
- Brute-Force Attacks /Attacks Involving Stolen Credentials
- Web Application Attacks (e.g. SQL Injection, Cross Site Scripting, Cross-Site Request Forgery Attacks, and Remote File Inclusion)
- Attacks targeting Internet of Things (IOT).
Hackers Quickly Launch Attacks Once Vulnerabilities Are Revealed: E.G. Drupal, Magento, WordPress
In analyzing the over 681 million attacks, the TRU Team found that many of the attacks were ones where the threat actors targeted known software vulnerabilities including ones in the Drupal, Magento and WordPress Content Management Systems (CMS).
“We saw the cybercriminals launch their attacks very quickly once the Drupal and Magento vulnerabilities were made public and PoC was released, knowing that it would take organizations time to test the patches and ensure that once installed the new fixes wouldn’t somehow negatively impact their business,” said Milligan.
Regarding the Drupal vulnerabilities, Armor knew their clients would also need time to patch so Armor proactively pushed out network signatures and correlation rules based on the Drupalgeddon 2.0 Proof-of-Concept (POC) code that was released publicly.
Armor Goes on the Hunt for Drupalgeddon Activity
Armor’s security analysts also initiated threat hunting activities, identifying multiple attempts by threat actors to exploit the Drupal vulnerability to deliver malware. Through analysis of the malware and continued analysis of the PoC code and other exploit techniques, Armor was able to deploy countermeasures that effectively blocked the detected payloads and vulnerability exploits before any damage was done.
Hackers Throw Brute-Force Attacks, Attacks Involving Stolen Credentials and Web Application Attacks at Armor Cloud Customers
Armor saw numerous Brute-Force Attacks and Web Application Attacks (SQL Injection(SQLi), Cross-Site Scripting (XSS), Cross Site Request Forgery(CSRF) Attacks, and Remote File Inclusion (RFI)) launched at its clients.
“Brute-Force Attacks and Web Application Attacks are certainly not the most sophisticated nor the most lethal, however, they are still commonly seen because they are “good old standbys” that continue to work and are easy to get their hands on,” explained Milligan.
A cybercriminal can simply purchase any number of password cracking tools and can rent or purchase exploit kits which contain many attack tools, including SQLi, XSS, RFI, etc. The kits are designed in such a way, making it quite trivial for an average computer user to successfully attack various vulnerabilities and then distribute malware or potentially wipe a victim’s hard drive.
Brute-Force attacks are surprisingly effective because of the simple passwords people continue to use,” continued Milligan. “Computer users will also, unknowingly, enable attackers to compromise multiple accounts by using the same or very similar passwords across their online accounts.”
Internet of Things (IOT) Attacks
Attacks targeting “Internet of Things” (IoT) devices, such as routers, cameras, DVRs, thermostats, electronic appliances, alarm clocks, etc. were also one of the most frequent attacks seen by Armor.
With IoT devices predicted to reach 20.4 billion by 2020, according to analyst firm Gartner, Milligan says he expects to see an increase in attacks in 2019 targeting IoT devices because they are such easy prey, and they are so prevalent. “When setting up and operating a home router, web-enabled appliance, DVR, many users don’t know or think to change the default password,” said Milligan.
According to a September 2018 study by anti-virus provider Kaspersky, they found that brute forcing of passwords was used in 93% of attacks launched against IoT devices. The use of poor passwords or default passwords, combined with the fact that many manufacturers of IoT gadgets are more focused on ease-of-use and getting their product out to the market as soon as possible then on securing these devices, makes them ripe for attack.
Top Cyber Threats Projected to Hit Cloud Customers in 2019
The TRU Team anticipates that the following cyber attacks will trend in 2019:
- Exploits and attacks targeting Containers and Cloud Services
- IoT attacks and DDoS campaigns
- Targeted ransomware
- Greater levels of sophistication in phishing campaigns