Datadog Report Surfaces Pair of Sophisticated AWS Attacks – Source: securityboulevard.com

A report published by Datadog suggests that cybercriminal activity aimed specifically at cloud infrastructure services provided by Amazon Web Services (AWS) are increasing in terms of both sophistication and scale.

In one case, a malicious user was able to access an account to create additional users of an identity access management (IAM) service that were then authenticated via the AWS Console. They then used that ability to access EC2 Instance Connect, a tool that enabled them to attempt to start EC2 instances in a region not being used by the customer.

In the second instance, an attacker created a high number of Fargate clusters deployed on the Amazon Elastic Container Service (ECS) that were then used to run large numbers of containers for cryptomining purposes. In less than two minutes, cybercriminals were able to create multiple ECS Fargate clusters with randomized names that were used to run containers created using ECS task definitions, with each task definition ensuring each cluster ran 25 tasks. They then repeated the process across 17 regions. Overall, Datadog researchers suspect hundreds of ECS Fargate clusters and ECS tasks were created using 40 container images hosted on the Docker Hub that were used to deploy thousands of malicious containers.

Andrew Krug, team lead for security evangelism at Datadog, said the speed at which these clusters were created indicates that cybercriminals better understand how to effectively leverage automation to compromise cloud computing environments at scale. That’s especially problematic because the cost of running all those malicious containers can, for many organizations, be prohibitive, he noted.

Collectively, these attacks illustrate the need to continuously monitor AWS environments to, for example, identify spikes in application programming interface (API) calls that indicate an account has been compromised, he added.

In addition, tools for tracking cloud costs can be used to also identify, for example, regions running containers that were never authorized for that purpose, he noted.

Of course, none of these issues would arise if the credentials required to access AWS accounts had not been compromised in the first place. Anyone that has access to cloud services is always a primary phishing attack target. Cybersecurity teams also need to make sure that privileges can’t easily be escalated in the event credentials are compromised.

In general, cloud infrastructure services are more secure than on-premises IT environments, but the same processes used to make them easily accessible also make them vulnerable to malicious actors. Cybercriminals today understand well how to employ the various tools and services made available by cloud service providers for their own ends.

Unfortunately, in an age where many cloud resources are still provisioned by application developers with little to no appreciation for cybersecurity best practices, there will inevitably be an issue. The challenge, as always, is to first reduce the odds a cloud service will be compromised by tightening cybersecurity controls and then, in the event there is a breach, having the means to detect and isolate it as quickly as possible.