Cloud as an Attack Vector
In today’s cloud-native ecosystem, applications and services that used to be hosted behind firewalls are now publicly accessible. Organizations are using cloud apps and services to store intellectual property other confidential data. Ecosystems of interconnected apps have emerged to enable efficient collaboration and increase productivity. Threat actors have taken notice and are increasingly launching attacks both using and targeting these cloud services. Using cloud services in an attack has proven to be an effective tactic for threat actors, as they benefit not only from its cost, scale, and simplicity, but also the implicit trust placed in these services. Examples of this trust Include that from the end users, who are accustomed to clicking on links to popular apps; and from organizations and security providers, who commonly whitelist domains associated with popular apps.
In this paper, we explore the dangers of placing such trust in cloud apps by considering the four most common cloud-based attack patterns:
- Cloud as a malware hosting platform,
- Cloud as a command and control channel,
- Cloud as a platform to spread malware, and
- Cloud as a platform for phishing.
We explain each attack pattern and provide detailed cases studies that illustrate their usage in the wild. The case studies illustrate that:
- Attackers are abusing a variety of cloud apps, often incorporating multiple apps in the same attack across multiple stages, and
- When elements of attacks are taken down by a cloud provider, they often resurface in new cloud apps or new instances of the same app. We also include statistics collected from our cloud-based secure web gateway (SWG) and API-based cloud access security broker (CASB) that illustrate how common these attack patterns are in the wild. The statistics were collected during the first half of 2020 from 4.5 million users across 875 different organizations. We conclude by framing these cloud-based techniques in the context of an attack kill-chain. The goal of this paper is to highlight the four most techniques ways malware are using the cloud to launch attacks and stay under the radar. We hope that by doing this we can help researchers and organizations take proactive steps defend against the malware threats that employ these techniques.
Ashwin Vamshi is a Security Researcher with innate interest in targeted attacks and malwares using cloud services. He has previously worked in Blueocoat, Norman and Comodo dealing in areas related to Antivirus, Firewall, IDS/IPS, Web categorization, Sandbox and ICS protection. Currently, he is focusing in identifying new attack vectors, malwares, campaigns, threat actors and misconfigurations using ‘cloud as an attack vector’ and enhancing the detection of Netskope threat detection engines.
Netskope Threat Labs
Ray is the Director of Netskope Threat Labs, which specializes in cloud-focused threat research. His background is in software anti-tamper, malware detection and classification, cloud security, sequential detection, and machine learning. He holds a Ph.D. in Electrical Engineering from Drexel University. Most recently, Ray was the CTO of cloud security startup Sift Security.
Sponsors and Supporting Organizations
Networking Lounge Sponsor