The Orca Research Pod is a group of cloud security researchers focused on discovering and analyzing cloud risks and vulnerabilities as well as promoting best practices in the field. In their State of Cloud Security 2024 Report, they present and explore critical risks and their possible ways to prevent attacks in a moment when cybersecurity defenders are on the back foot while attackers are becoming more and more sophisticated.
The report’s methodology analyzes data captured from billions of cloud assets on AWS, Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud scanned by the Orca Cloud Security Platform collected through 2023. Summarizing, the report reveals that:
Basic Security Practices Still Lacking: Many risks arise because companies don’t adhere to the foundational cybersecurity principles, which highlights the need for education about improved security measures.
Risks on Exposed and Public Assets: many risks are associated with cloud assets that are exposed and public-facing, which are particularly concerning when they store or provide access to sensitive data.
Improvement in Cloud Security Postures: There has been some progress, with fewer Log4Shell-vulnerable assets and a 1-5% improvement in security postures across various industries compared to the 2022 report.
Exposed Neglected Assets
A neglected asset consists of a cloud asset using an unsupported operating system or that has not been patched for 180 days or more. When these assets reach end-of-life (EOL), vendors no longer provide support, which leads to decreasing security and stability.
The risk of exploitation increases in neglected assets that are public-facing in commonly targeted ports like 80, 443, 8080, 22, 3389, or 5900. Open ports and known vulnerabilities are frequently scanned by attackers, which makes these assets the principal targets. That’s why upgrading these systems is mandatory once they are easy entry points for cyber attackers, making these assets prime targets. Upgrading these systems is crucial, as they are easy entry points for cyber attackers. Since neglected assets often lack installed and maintained agents, agent-based workload protection may be ineffective.
Another common problem is the subdomain takeover risk, one of the easiest attack vectors to exploit and can be used for phishing campaigns, credential theft, or malware distribution. 23% of organizations are at risk when a subdomain’s CNAME record points to a non-existent cloud service and a bad actor uses it to serve malicious content. Attacks usually happen when cloud services are shut down, and companies neglect to update or remove the corresponding DNS records, making their domains and subdomains unprotected.
Data Exposure
There are security settings for databases and storage buckets to protect sensitive data such as personally identifiable information (PII), credit card numbers, medical records, dev keys, secrets, and tokens. But misconfiguring these assets generates the risk of them becoming publicly accessible and exposes them to dangers like ransomware, data exfiltration, reputational harm, and legal ramifications. It’s alarming that one-fifth of businesses have sensitive data storage open to the public.
Attackers can also add, remove, and replace objects in an S3 bucket with public “Write” access, which can result in ransomware assaults, malware infection, data spills, and inadvertent alterations. Even if just 5% of businesses possess such an asset, it is highly dangerous and must be avoided at all costs.
In terms of public write rights, an S3 bucket that grants public ‘Write’ access to objects allows adversaries to add, remove, and replace objects, which can result in ransomware attacks, malware penetration, data leaks, and unintentional changes. This setup should be avoided at all costs due to its significant risk, even though only 5% of businesses possess such assets.
Machine learning model development, training, and deployment require cloud-based AI systems like Amazon SageMaker. However, these systems are high-risk assets because they frequently use sensitive and private data. Malware can obtain an AI model’s code through exposed SageMaker notebooks, resulting in the theft of proprietary algorithms or remote code execution (RCE). These dangers show how strict security measures are required to safeguard intellectual property and data integrity.
Attackers will target an exposed Kubernetes API server since it makes cluster communication easier. Unrestricted network access, especially if credentials are obtained, can enable attackers to alter resource states and compromise underlying infrastructure, containers, and workloads even when authentication is required. Since the 2022 report, this issue has grown by 12%, underscoring the critical need for more robust security measures as Kubernetes utilization increases. Although some purposeful public access for testing exists, the majority of publicly accessible API servers are the consequence of misconfigurations.
Vulnerabilities
Two Decades of Vulnerabilities
The discovery of vulnerabilities in cloud systems that predate cloud computing may appear startling, but it may not come as a big surprise. Existing vulnerabilities are frequently transferred with applications when businesses “lift and shift”— that is, relocate them from on-premises systems to the cloud.
Despite the fact that some vulnerabilities may be ancient, there is still a risk:
A known attack code exists for 22% of the vulnerabilities that are more than a decade old.
We discovered that 83% of the vulnerabilities of lesser severity have a remedy available, even though some are still open. Besides that, 91% of organizations have at least one vulnerability older than 10 years, and 46% have vulnerabilities older than 20 years.
Log4Shell
Log4Shell was initially discovered over 2 years ago and is described as one of the most dangerous software vulnerabilities ever. The security flaw in Log4Shell is still present in many cloud environments and is still being actively exploited. While less than 1% of public-facing assets are vulnerable—a 10% decrease compared to the 2022 report—each instance represents an easily exploitable opportunity for a bad actor to launch an attack. 59% of organizations still have at least one asset vulnerable to Log4Shell, and 38% of them have a Log4Shell asset that is public-facing.
Identity and Access
Weak Authentication on Public-facing Assets
Workloads with a public face that are available through the Internet, whether by purpose or by accident, make up a sizable amount of an organization’s attack surface and are often the first to be compromised by threat actors. 24% of organizations have at least one public-facing workload with a weak or leaked password.
Attackers find it easier to compromise an asset using dictionary and password-spraying techniques when a visible workload permits password authentication and the accounts have passwords that are frequently used or have been included in credential dumps from prior public breaches.
To protect these systems and lower the risk of exposure and potential compromise, adequate controls for non-human/non-interactive authentication, avoid password-only authentication, and adopt best practices like multi-factor authentication are essential.
Unused IAM Users and Roles
It may appear simple to identify unused users and roles, deactivate such identities, or revoke their access, but that’s absolutely not the case. Because cloud systems are diverse and dynamic, managing IAM (Identity Access Management) setups at scale in the cloud may be quite difficult, particularly when managing sizable multi-cloud environments. Our research discovered that 82% of organizations have IAM credentials that haven’t been used for 90+ days.
In particular, roles that are frequently disregarded offer a special challenge. They are readily forgotten, generated automatically during asset setup, and ignored during removal because they are unrelated to specific people. 72% of organizations have unused IAM roles.
Root Risks: Highlighting the MFA Gap
When creating a cloud account, the root user is the one who has full access to all services and resources. Without Multi-Factor Authentication (MFA), this user is susceptible to password spraying and dictionary attacks. This way, it’s important to introduce an additional layer of security, making the MFA diminish the possibility of unwanted access. While it can be difficult to handle MFA for shared accounts, there are ways to overcome this, such as by employing software tokens that are controlled or hardware tokens that are securely stored. 61% of organizations don’t apply MFA on their Root/Account Owner user.
Lateral Movement Exposure
Lateral movements are configurations, secrets, roles, and other dangers that allow attackers to migrate from one compromised asset to another. It can provide access to vital systems, which is a serious risk to companies. Since it’s a critical concern, security teams may solve concerns more effectively by identifying cloud assets that are more likely to be moved laterally, especially workloads that are visible to the public. By classifying every person and device as untrusted and enforcing stringent identity authentication and authorization, a zero-trust approach effectively mitigates these risks and reduces the potential damage from breaches.
Malware
The potential of cloud-native malware outbreaks rises with the increased interconnectivity of cloud services and the volume of data transfers between different platforms. This kind of malware is made especially for cloud environments; it spreads via cloud storage and collaboration tools or by taking advantage of holes in cloud applications and infrastructure. The most prevalent kind of cloud malware, trojans, impersonates trustworthy programs or software to access systems. Once inside, they give attackers the ability to carry out tasks like exporting, editing, or removing data, imitating the operations of authorized users, and using cloud features to avoid detection. Malware has been found in storage buckets, virtual machines, and containers, which emphasizes the importance of thorough security measures throughout the whole cloud infrastructure to ward against such attacks.
CI/CD Security
Incorporating third-party and open-source components into applications is common but carries risks. Nearly two-thirds of organizations encounter severe vulnerabilities in code within repositories like GitHub, Bitbucket, and GitLab. These vulnerabilities, potentially escalating in larger codebases, can lead to data breaches and system compromises. Software Composition Analysis (SCA) is crucial for security, particularly for external code, including third-party and open-source elements. When integrated into the CI/CD pipeline, SCA helps identify problematic dependencies, preventing vulnerabilities in operational applications. Implementing automated “Shift Left” practices in cloud security strategies is essential for early vulnerability detection in these repositories, safeguarding software integrity before deployment.
Almost three-quarters of organizations have unencrypted secrets, such as login credentials and API keys, in their code repositories. This lack of encryption poses a significant risk of security breaches in cloud environments where secret management is complex. Attackers can exploit these exposed secrets rapidly: Orca’s 2023 Honeypotting in the Cloud Report found that it takes merely 2 minutes to exploit keys on GitHub. Utilizing cloud provider secrets management services is crucial for effective secrets management throughout the development lifecycle. Early detection of secrets and vulnerabilities enables a holistic security strategy, covering everything from initial code submission to ongoing monitoring in production stages.
Conclusion
The State of Cloud Security 2024 Orca Report offers a thorough analysis of cloud security’s dangers today, along with crucial guidance on preventing assaults. The Orca Research Pod, a dedicated team of cloud security experts, has pinpointed many critical issues that must be resolved to strengthen security postures. The essential necessity for ongoing cloud security practice improvement is emphasized in the report. Organizations may protect their cloud environments from sophisticated cyber threats by deploying comprehensive security measures, resolving vulnerabilities, and efficiently managing secrets. It is an important reminder that maintaining strong cloud security postures and safeguarding data integrity requires alert and proactive security measures.
