Attempted attacks on cloud-based networks, specifically to Vulnerability Exploits, sees a higher usage of newer CVE’s
It’s not always peaceful high in the clouds
For the past few years, Check Point Research (CPR) has been following the evolution of the cloud threat landscape, as well as the constant increase in cloud infrastructure adoption by corporate environments. As many as 98% of global organizations utilize cloud-based services, and approximately 76% of them have multi-cloud environments, featuring services from two or more cloud providers.
Cloud adoption in general has grown rapidly in recent years, and COVID-19 accelerated this transition. With the normalization of remote work, companies needed to be able to support and provide critical services to their off-site workforce. With the move to the cloud comes a need for cloud security as the largest the adaptation of technology, so comes the increase in amount of attacks on it. These cloud-based applications must be protected against attack, and cloud-hosted data must be protected against unauthorized access in accordance with applicable regulations. This year saw a significant example of how critical this protection might get, when Thailand’s most extensive mobile network, AIS, accidentally left a database of eight billion internet records exposed, leading to one of the most expensive breaches ever recorded, costing the company $58 billion to resolve.
In November, The FBI and CISA revealed in a joint advisory that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability.
Growth in the number of attacks against cloud-based networks
When examining the past two years of Cloud-based networks landscape, we see a significant growth of 48% in the number of attacks per organization experienced in 2022, compared to 2021. When examining the growth in number of attacks per organization, according to geographical regions we see that Asia sees the largest increase, Year of year, with 60% growth, followed by Europe that has seen a substantial growth of 50% and North America with 28%.
Newer and major CVE’s impact higher in cloud-based networks compared to on-prem
Although the current number of attacks on cloud-based networks is still 17% lower than in non-cloud networks, when drilling down to types of attacks, and specifically to Vulnerability Exploits, there is a higher usage of newer CVE’s (disclosed 2020-2022) compared to on-prem networks for attempted attacks on cloud-based networks. The difference between the two types of networks can be seen in the visual below.
Further analysis of specific high profile global vulnerabilitiesreveals that some major CVE’s have had a higher impact on cloud-based networks compared to on-prem. For example, the Text4shell Vulnerability (CVE-2022-42889), which was disclosed in October and was exploited soon after, has shown a 16% higher impact on cloud-based environments compared to its impact against on-prem networks. This vulnerability, based on the Apache Commons Text’s functionality, allows attacks over a network without the need for any specific privileges or user interaction.
Additional examples of prominent CVEs disclosed this year that have shown a similar trend:
· VMware Workspace Remote Code Execution (CVE-2022-22954) – 31% higher impact on cloud-based networks
· Microsoft Exchange Server Remote Code Execution (CVE-2022-41082) – 17% higher impact on cloud-based networks
· F5 BIG IP (CVE-2022-1388) – 12% higher impact on cloud-based networks
· Atlassian Confluence—Remote Code Execution (CVE-2022-26134) – 4% higher impact on cloud-based networks
The 7 Pillars of Robust Cloud Security
While cloud providers offer many cloud native security features and services, supplementary third-party solutions are essential to achieve enterprise-grade cloud workload protection from breaches, data leaks, and targeted attacks in the cloud environment. An integrated cloud-native/third-party security stack provides the centralized visibility and policy-based granular control necessary to deliver the following industry best practices as listed :
1. Zero-trust cloud network security controls across logically isolated networks and micro-segments
Deploy business-critical resources and apps in logically isolated sections of the provider’s cloud network, such as Virtual Private Clouds (AWS and Google) or vNET (Azure). Use subnets to micro-segment workloads from each other, with granular security policies at subnet gateways. Use dedicated WAN links in hybrid architectures, and use static user-defined routing configurations to customize access to virtual devices, virtual networks and their gateways, and public IP addresses.
2. Shift your security left
Incorporate security and compliance protection early into the development lifecycle. With security checks integrated continuously into the deployment pipeline, rather than at the end, DevSecOps are able to find and fix security vulnerabilities early, accelerating an organization’s time-to-market.
3. Keep code securely hygiene with vulnerability management (perhaps you may want to re-edit as it should be securely hygenic
Set guardrails polices ensuring your deployment meets the corporate code hygiene policies. These policies will alert on deviation from the policy and can block deployments of non-compliant artifacts. Build remediation processes by alerting the development team on non- compliant artifacts with appropriate remediation.
Incorporate tools which provide the ability to explore vulnerabilities and SBOM (Software Bill of Materials) to quickly identify resources with critical vulnerabilities.
4. Avoid misconfiguration with continuous posture scanning
Cloud security vendors provide robust Cloud Security Posture Management, consistently applying governance and compliance rules to virtual servers. This helps to ensure they are configured to the best practices and properly segregated with access control rules.
5. Safeguarding all applications (and especially cloud-native distributed apps) with active prevention via IPS (Intrusion Prevention System) and next-generation web application firewall
Stop malicious traffic from reaching your web application servers. With an automatically updates WAF rules in response to traffic behavior changes, and is deployed closer to microservices that are running workloads.
6. Enhanced data protection with multi-layers
Enhanced data protection with encryption at all transport layers, secured file shares and communications, continuous compliance risk management, and maintaining good data storage resource hygiene such as detecting misconfigured buckets and terminating orphan resources will provide that additional security layer for an organisation’s cloud landscape.
7. Threat intelligence that detects and remediates known and unknown threats in real-time
Third-party cloud security vendors add context to the large and diverse streams of cloud-native logs by intelligently cross-referencing aggregated log data with internal data such as asset and configuration management systems, vulnerability scanners, etc. and external data such as public threat intelligence feeds, geolocation databases, etc. They also provide tools that help visualize and query the threat landscape and promote quicker incident response times. AI-based anomaly detection algorithms are applied to catch unknown threats, which then undergo forensics analysis to determine their risk profile. Real-time alerts on intrusions and policy violations shorten times to remediation, sometimes even triggering auto-remediation workflows.
Check Point CloudGuard offers unified cloud native security across your applications, workloads, and network-giving you the confidence to automate security, prevent threats, and manage posture-at cloud speed and scale. Get your free trial here .
The statistics and data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research – the intelligence and research arm of Check Point Software.