As cybercriminals remain steadfast in their pursuit of unsuspecting ways to infiltrate today’s businesses, a new report by IBM Security X-Force highlights the top tactics of cybercriminals, the open doors users are leaving for them and the burgeoning marketplace for stolen cloud resources on the dark web. The big takeaway from the data is businesses still control their own destiny when it comes to cloud security. Misconfigurations across applications, databases and policies could have stopped two-thirds of breached cloud environments observed by IBM in this year’s report.

IBM’s 2021 X-Force Cloud Security Threat Landscape Report has expanded from the 2020 report with new and more robust data, spanning Q2 2020 through Q2 2021. Data sets we used include dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident Response analysis and X-Force Threat Intelligence research. This expanded dataset gave us an unprecedented view across the whole technology estate to make connections for improving security. Here are some quick highlights:

• Configure it Out — Two out of three breached cloud environments studied were caused by improperly configured Application Programming Interface (APIs). X-Force incident responders also observed virtual machines with default security settings that were erroneously exposed to the Internet, including misconfigured platforms and insufficiently enforced network controls.
• Rulebreakers Lead to Compromise — X-Force Red found password and policy violations in the vast majority of cloud penetration tests conducted over the past year. The team also observed a significant growth in the severity of vulnerabilities in cloud-deployed applications, while the number of disclosed vulnerabilities in cloud-deployed applications rocketed 150% over the last five years.
• Automatic for the Cybercriminals — With nearly 30,000 compromised cloud accounts for sale at bargain prices on dark web marketplaces and Remote Desktop Protocol accounting for 70% of cloud resources for sale, cybercriminals have turnkey options to further automate their access to cloud environments.
• All Eyes on Ransomware & Cryptomining — Cryptominers and ransomware remain the top dropped malware into cloud environments, accounting for over 50% of detected system compromises, based on the data analyzed.

Modernization Is the New Firewall

More and more businesses are recognizing the business value of hybrid cloud and distributing their data across a diverse infrastructure. In fact, the 2021 Cost of a Data Breach Report revealed that breached organizations implementing a primarily public or private cloud approach suffered approximately $1 million more in breach costs than organizations with a hybrid cloud approach.

With businesses seeking heterogeneous environments to distribute their workloads and better control where their most critical data is stored, modernization of those applications is becoming a point of control for security. The report is putting a spotlight on security policies that don’t encompass the cloud, increasing the security risks businesses are facing in disconnected environments. Here are a few examples:

• The Perfect Pivot — As enterprises struggle to monitor and detect cloud threats, cloud environments today. This has contributed to threat actors pivoting from on-premise into cloud environments, making this one of the most frequently observed infection vectors targeting cloud environments — accounting for 23% of incidents IBM responded to in 2020.
• API Exposure — Another top infection vector we identified was improperly configured assets. Two-thirds of studied incidents involved improperly configured APIs. APIs lacking authentication controls can allow anyone, including threat actors, access to potentially sensitive information. On the other side, APIs being granted access to too much data can also result in inadvertent disclosures.

Many businesses don’t have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premise, which leads to a fragmented and more complex security environment that is tough to manage. Organizations need to manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back. By modernizing their mission critical workloads, not only will security teams achieve speedier data recovery, but they will also gain a vastly more holistic pool of insights around threats to their organization that can inform and accelerate their response.

Trust That Attackers Will Succeed & Hold the Line

Evidence is mounting every day that the perimeter has been obliterated and the findings in the report just add to that corpus of data. That is why taking a zero trust approach is growing in popularity and urgency. It removes the element of surprise and allows security teams to get ahead of any lack of preparedness to respond. By applying this framework, organizations can better protect their hybrid cloud infrastructure, enabling them to control all access to their environments and to monitor cloud activity and proper configurations. This way organizations can go on offense with their defense, uncovering risky behaviors and enforcing privacy regulation controls and least privilege access. Here’s some of the evidence derived from the report:

• Powerless Policy — Our research suggests that two-thirds of studied breaches into cloud environments would have likely been prevented by more robust hardening of systems, such as properly implementing security policies and patching.
• Lurking in the Shadows — “Shadow IT”, cloud instances or resources that have not gone through an organization’s official channels, indicate that many organizations aren’t meeting today’s baseline security standards. In fact, X-Force estimates the use of shadow IT contributed to over 50% of studied data exposures.
• Password is “admin 1” — The report illustrates X-Force Red data accumulated over the last year, revealing that the vast majority of the team’s penetration tests into various cloud environments found issues with either passwords or policy adherence.

The recycling use of these attack vectors emphasizes that threat actors are repetitively relying on human error for a way into the organization. It’s imperative that businesses and security teams operate with the assumption of compromise to hold the line.

Dark Web Flea Markets Selling Cloud Access

Cloud resources are providing an excess of corporate footholds to cyber actors, drawing attention to the tens of thousands of cloud accounts available for sale on illicit marketplaces at a bargain. The report reveals that nearly 30,000 compromised cloud accounts are on display on the dark web, with sales offers that range from a few dollars to over $15,000 (depending on geography, amount of credit on the account and level of account access) and enticing refund policies to sway buyers’ purchasing power.

But that’s not the only cloud “tool” for sale on dark web markets with our analysis highlighting that Remote Desktop Protocol (RDP) accounts for more than 70% of cloud resources for sale — a remote access method that greatly exceeds any other vector being marketed. While illicit marketplaces are the optimal shopping grounds for threat actors in need of cloud hacks, concerning us the most is a persistent pattern in which weak security controls and protocols — preventable forms of vulnerability — are repeatedly exploited for illicit access.

To read our comprehensive findings and learn about detailed actions organizations can take to protect their cloud environments, review our 2021 X-Force Cloud Security Threat Landscape here.

Want to hear from an expert? Schedule a consultation with an X-Force team member and register for our cloud security webinar to learn more.

The post X-Force Report: No Shortage of Resources Aimed at Hacking Cloud Environments appeared first on Security Intelligence.

As reported in the IBM X-Force Threat Intelligence Index 2020, X-Force research teams operate a network of globally distributed spam honeypots, collecting and analyzing billions of unsolicited email items every year. Analysis of data from our spam traps reveals trending tactics that attackers are utilizing in malicious emails, specifically, that threat actors are continuing to target organizations through the exploitation of older Microsoft Word vulnerabilities (CVE-2017-0199 and CVE-2017-11882).

• CVE-2017-0199 was first disclosed and patched in April 2017. It allows an attacker to download and execute a Visual Basic Script containing PowerShell commands after the victim opens a malicious document containing an embedded exploit. Unlike many other Microsoft Word and WordPad exploits, the victim does not need to enable macros or accept any prompts — the document just loads and executes a malicious file of the attacker’s choosing.
• CVE-2017-11882 was first disclosed and patched in November 2017. This vulnerability involves a stack buffer overflow in the Microsoft Equation Editor component of Microsoft Office that allows for remote code execution. Interestingly, the vulnerable component was 17 years old (compiled in 2000) at the time of exploitation and unchanged since its removal in 2018.

These vulnerabilities, which were reported and subsequently issued patches in 2017, are the most frequently used of the top eight vulnerabilities observed in 2019. They were used in nearly 90 percent of malspam messages despite being well-publicized and dated. These findings highlight how delays in patching allow cybercriminals to continue to use old vulnerabilities and still see some success in their attacks.

2 Years and Still Going Strong

In addition to these vulnerabilities’ popularity in malspam, the volume of 2019 network attacks that targeted X-Force-monitored customers while attempting to exploit them was 25 times higher than the combined number of network attacks attempting to exploit similar vulnerabilities that leverage Object Linking and Embedding (OLE).

Our analysts did not observe a commonality regarding the malicious payloads used post-exploitation, which means that using these vulnerabilities is the choice of a wide array of threat actors and not specific to a small number of campaigns or adversarial groups.

Figure 1: Observed usage of top CVEs in 2019 spam emails (Source: IBM X-Force)

Another noteworthy insight from the figure above is that most vulnerabilities commonly used by cybercriminals are older ones. None of the vulnerabilities leveraged in 2019 were disclosed last year and only one was disclosed in 2018. The rest go back as far as 2003, further driving home the point that when it comes to malicious cyber activity, what’s old is new and what’s new is old.

The Allure of Older Vulnerabilities

Why would a wide array of threat actors use the same two old and well-known exploits in so many of their attacks? There are a few possible explanations, but the essence of it is they are cheaper, better documented, battle-tested and more likely to lead to legacy systems that are no longer being patched.

First, the exploits are very convenient for an attacker to use in that they don’t require user interaction. Unlike more recent Word vulnerabilities, which require the attacker to convince the user to enable macros, the exploits for these particular vulnerabilities automatically execute when the document is opened. This can help reduce the chance of arousing user suspicions and, accordingly, increase the rate of success.

Second, since so many different actors use these vulnerabilities, it can complicate attribution, as their widespread usage makes associating them with any particular individual or group difficult.

For example, IBM researchers recently observed threat actors leveraging these CVEs and using a variant of the X-Agent malware, which was historically associated with a threat actor known to IBM as ITG05 (also known as APT28). That threat group has been attributed to Russia’s Main Intelligence Directorate. But while they were being used by highly sophisticated threat actors, these vulnerabilities were also leveraged by low-end spammers dropping commodity malware through massive email campaigns.

The reuse of common exploits is a convenient way to muddy threat actor attribution, especially for groups that wish to remain anonymous in their operations. It can allow threat actors to hide among a large volume of activity, obfuscating their actions.

The third and perhaps most likely reason for the continued use of these vulnerabilities is the simple ease and convenience of generating documents that can exploit them. Because these types of documents are essential to the day-to-day operations of many target organizations, they are often not blocked by enterprise email filters. As a final bonus to threat actors, they are also some of the cheapest exploits cybercriminals can buy.

X-Force’s dark web research of underground forums highlights multiple offerings of free document builders that leverage each of these vulnerabilities. Our team also identified free YouTube videos focused on each vulnerability, illustrating how an attacker can generate a document to exploit these issues.

Figure 2: YouTube videos detailing how to generate documents exploiting CVEs 2017-0199, 2017-11882 (Source: IBM X-Force)

One should keep in mind that successful exploitation of older vulnerabilities is more likely to happen on older, unpatched operating systems (OSs) and legacy systems where OS end-of-life means that no new patches are even available. These kinds of systems are most likely used by organizations that can’t patch due to other issues or priorities. While there are many reasons that can contribute to the decision to defer patching, that decision is never a good one in the long run.

What Can Companies Do With This Sort of Information?

Older vulnerabilities are clearly not going away any time soon, so organizations need to be prepared to defend against their attempted exploitation. IBM X-Force Incident Response and Intelligence Services (IRIS) has the following tips for organizations to better protect themselves:

• Asset management is an ongoing process that should be top of mind for risk management. Part of this process is continually assessing risk to critical systems and considering the consequences of not patching them. Reassess the risks and consider patching and updating operating systems as soon as possible. Reality check: Windows 7’s end-of-life took place on January 14, 2020. Is your organization ready to move to an updated OS?
• On the application level, ensure that patches for productivity suites — especially Microsoft software — are applied as soon as they become available.
• Monitor the organization’s environment for PowerShell callouts that may be attempting to download and execute malicious payloads.
• Continue user education on the risks of opening attachments from unknown sources, as vulnerabilities like these do not require any user interaction beyond opening to cause harm.
• Scope and engage in a vulnerability management program to determine if older vulnerabilities are exposing your environment to exploitation by an attacker.

Download the latest X-Force Threat Intelligence Index

The post What’s Old Is New, What’s New Is Old: Aged Vulnerabilities Still in Use in Attacks Today appeared first on Security Intelligence.