Palo Alto Networks Report Reveals Cloud Security Challenges
An analysis of more than 680,000 identities across 18,000 cloud accounts from 200 different organizations published this week by Palo Alto Networks found nearly all (99%) cloud users, roles, services and resources were granted excessive permissions that were unused for 60 days or more.
Nathaniel Quist, a principal researcher for the Unit 42 security research team at Palo Alto Networks, said as more workloads are shifted to the cloud, cybercriminals are looking to compromise cloud account credentials that can then be used to gain illicit access to a wide range of cloud services.
The report found more than half of organizations (53%) allowed for weak passwords consisting of less than 14 characters and 44% allowed passwords to be reused.
Overall, the report found that 69% of organizations now host more than half their workloads in the cloud, with 62% of organizations employing publicly exposed cloud resources.
The report also suggested there is too much reliance on the security policies defined by cloud service providers (CSPs) rather than an internal security team. CSP-managed policies grant 2.5 times more permissions than customer-managed policies, the report found.
For the first time, as part of an effort to identify the source of threats to cloud services, Unit 42 is now compiling a list of threat actors that it identified as the most prevalent threat actors targeting cloud accounts. They are:
TeamTNT: The most well-known and sophisticated credential targeting group.
WatchDog: Considered to be an opportunistic threat group that targets exposed cloud instances and applications.
Kinsing: Financially motivated and opportunistic cloud threat actor with heavy potential for cloud credential collection.
Rocke: Specializes in ransomware and cryptojacking operations within cloud environments.
8220: Monero mining group, which reportedly has elevated their cryptomining operations by exploiting the Log4j vulnerability affecting Java applications.
Nation-state actors that are also known to target cloud infrastructure include APT 28 (Fancy Bear), APT 29 (Cozy Bear) and APT 41 (Gadolinium).
In general, the root cause of most cloud security issues can be traced back to the simple fact that most cloud resources are provisioned directly by developers that lack cybersecurity training. As a result, it’s not uncommon for ports to be left open through which cybercriminals can easily exfiltrate data. There is now a growing movement to hold developers more accountable for cloud security as part of a larger effort that required developers to manage the applications they build on an end-to-end basis. The challenge is that it may take years for developers to acquire the appropriate level of cybersecurity expertise and, even then, developers with varying levels of expertise are still likely to make mistakes.
Palo Alto Networks’ Quist said as a result, cybersecurity teams need to make sure there is a layered defense in place that enables them to apply zero-trust security policies based on identity rather than relying on passwords that are too easily compromised.
Cloud security remains an issue not so much because of who owns the underlying infrastructure but because best practices are not being consistently applied across two or more cloud platforms.
