Disclaimer: “This report was generated as part of a student project in the Cyber Threat Intelligence course at the Georgia Institute of Technology (Georgia Tech) and overseen by Professor Sergio Caltagirone. The accuracy of this information cannot be guaranteed.”

Summary

The cloud native environments are facing an increasing threat from sophisticated ransomware attacks. These attacks are causing significant damage, including data breaches, financial losses, and reputational harm. Zero-day vulnerabilities pose a particularly severe risk, and currently there is no margin for human error in cloud configuration as this has proven catastrophic in several instances. Additionally, the rise of new cybercrime groups and their strategic partnerships are enhancing their capabilities, making it easier for them to penetrate defenses. Furthermore, the never-ending emergence of vulnerabilities coupled with the lack of visibility in cloud environments raises concerns about their viability as a future investment option.

Implementing zero-trust policies can significantly enhance security by ensuring that no entity, whether inside or outside the network, is trusted by default. Regular security audits and employee training on best practices for cloud security and identifying phishing attempts are also crucial in minimizing the risk of misconfigurations and human errors. 

Key Findings

• The widespread adoption of cloud-based services attracts organized cybercriminals such as Scatter Spider (or Octo Tempest) and TeamTNT, leading to financially motivated ‘spray and pray’ attacks that exploit zero-day vulnerab, making them the primary contributors to cloud-targeted cyberattacks.
• Exploitation of human errors such as misconfigured cloud security settings leads to unauthorized data access, data breaches, encryption, and subsequent ransom demands as in the case of Toyota, Cogynte, Weibo among others.
• Social engineering attacks are primary means for proliferation of sophisticated malware specifically designed to exploit cloud vulnerabilities.

Background

Instances of cyber-attacks involving cloud environments or ransomware are numerous in the past 18 months. My data shows that when these two threat surfaces intersect, the focus often shifts disproportionately to one element, leading to skewed interpretations. Reports detail various TTPs (Tactics, Techniques, and Procedures) used by cyber gangs and ransomware groups, but often omit the victims. These TTPs are likely to affect multiple victims. While Fig. 1 does not depict the true trend of ransomware-in-cloud cyber-attacks, it just serves to illustrate how the collected data from various sources are distributed over time.

Figure 1 | Distribution of collected data over time. The peak during June 2023 is because of the MOVEIt vulnerability being exposed which in turn led to a cascade of cyberattacks on various organizations. [Data available upon request :)]

Nation-state-sponsored cyber-attacks on cloud environments have increased, driven by espionage and financial motives. Countries like Russia, China, Iran, and North Korea are highly likely to target zero-day vulnerabilities in major platforms like Azure and AWS, aiming at a global range of victims. Whereas ransomware and cybercrime groups have expanded to “one-to-many” attacks on cloud environments, particularly Azure. The distribution of the cyberattacks by the threat actor is presented in Fig. 2.

Intelligence details

1. Nation-state cyber actors

Each nation-state’s motives are influenced by their economic conditions and ongoing conflicts. For example:

• China: China’s cyber efforts are focused on high-tech fields such as chip development. Chinese threat actors, like Gadolinium (APT40), have exploited Azure Active Directory applications for their command-and-control infrastructure. They use custom tools like the PowerShell Empire post-exploitation toolkit to deploy malicious modules via Microsoft Graph API calls.[1] Through these, the threat groups have targeted health, maritime higher education and government sectors for information gathering.
• Russia: Russian state-sponsored actors are targeting Ukrainian infrastructure and command-and-control systems to disrupt rather than degrade them.[2] These activities are in addition to cyber-espionage efforts aimed at gathering strategic intelligence related to Ukraine worldwide.[3] Nobelium (APT-29) carried out a phishing campaign to obtain Windows credentials by masquerading as malicious Amazon Web Services (AWS) domains through which emails were sent out to recipients advising procedures to integrate AWS to Windows.[4]
• Iran: According to Gaby Portnoy, the Director General of the Israeli Cyber Directorate, Iran has been targeting both allies and adversaries to extort information and damage digital services.[5] These attacks are sometimes carried out for financial gains to support these operations and ransom is collected to restore normalcy to the digital services they disrupted.

The integration of cloud services into critical and public infrastructure, such as nuclear power plants and water supply systems, significantly enhances the potential for adversaries to use cyber-offensive tactics against another nation-state. [6][7] These insights underscore the need for nation-states and organizations alike to allocate more resources towards strengthening their cloud-native environments.

2. Cybercrime and ransomware gangs migrating into cloud-native environments

The ransomware groups have expanded their domain with “one-to-many” attacks to target cloud environments. From the adversary’s perspective, the advantage with cloud native environments is the lack of visibility and the widespread adaptation. Once they identify a vulnerability or a zero-day, they can exploit all the users with the cloud environment and lack of visibility means that the victim might not even be able to trace back the origins causing severe disruption of services. For instance, threat actors “Shiny Hunters” used compromised credentials to gain access to Snowflake cloud storage accounts for as many as 165 customers across multiple industries. This exposure has had a cascading effect, wherein Ticketmaster and Santander Bank’s user information were breached and leaked as a result. [8] Further, this leak could allow threat actors to pivot into more sensitive OT environments that could enable operational disruption. This group is also attributed to carrying out a cloud extortion campaign (Bling Libra) to access AWS environments. [9]

Figure 2 | Distribution of threat actors in the collected dataset. The arc length of the third concentric circle indicates the number of instances the threat actor was involved in an cyber incident in the collected dataset. (zoom in for clarity)[Data available upon request :)]

Fig. 2 provides a summary of the different threat actors involved in cyberattacks employing ransomware to target cloud infrastructure. Among these, ALPHV (BlackCat), is a notorious cyber threat actor, which claimed responsibility for the attacks on the financial firms LoanDepot and Prudential [10] is employing Sphynx encryptor to encrypt targets’ Azure cloud storage. [11] Its partner, Scattered Spider is targeting insurance and financial firms by “leverage SIM swapping to bypass multi-factor authentication” and using phishing and smishing campaigns. Their primary objective is to deploy ransomware in cloud environments, with a particular focus on VMware ESXi (on-premises cloud platform) and Azure platforms. Recently, Storm-0501, a known affiliate of several high-profile R-a-a-S outfits launched a multi-staged approach to compromise hybrid cloud environment and also move laterally from on-premises to cloud environments.[12] This group also uses both commodity and open-source to conduct their operations.

These threat actors have most likely developed or acquired tools for disabling security measures, reconnaissance and persistence maintenance (likely through sync across tenants) [13]. A concerning trend has emerged in the cyber threat landscape: the democratization of ransomware (Ransomware as a service (Raas) for as low as 90 USD)[14] and partnerships among cybercriminal groups. This collaboration has facilitated the sharing of resources and knowledge, making it easier for even less sophisticated actors to target cloud-native environments. One such example is ALPHV partnership with Scattered Spider (or Octo tempest), where the former possesses advanced tools while the latter is likely believed to have good grasp of the functioning and business practices of western companies. [15][16]

3. Vulnerabilities and initial points of access into the cloud

Based on the collected data, the initial access into cloud infrastructure could be classified into three major categories

3.1 Exploiting misconfigured cloud settings and bypassing security measures to deploy ransomware

• The Alteryx cyber-attack (2017) exposed sensitive data of approximately 123 million American households due to a misconfigured Amazon Web Services (AWS) S3 bucket to allow public access, which meant that anyone with the correct URL could access the stored data without any authentication. [17]
• Scattered spider employs “social engineering tactics, policy alterations, and access to password managers to infiltrate cloud systems. These actors exploit the connections between the cloud control plane and endpoints to move laterally, ensure persistence, and extract data”.[18]
• A recent post from bleeping Computer discusses how ransomware gangs are using blind-trust protocols in certain corporate firewalls that allow exfiltration of sensitive information without any detection. This tactic used by BianLian and Rhysida utilize Azure’s storage explorer and the AZ copy command line tool to facilitate large data transfers, which often go undetected and unblocked as the firewalls often consider Azure a “trusted enterprise-grade service”.[19]
• Note: Threat actors are now employing Azure as a medium to exfiltrate data after an initial breach as it is unlikely to be blocked by existing firewalls and defense mechanisms. Recent research shows that safety and best practices are sacrificed for speed and convenience while developing cloud-native applications, which is concerning.[20]
• TeamTNT, a cryptojacking threat actor, is preparing for a new large-scale campaign aimed at cloud-native environments to mine cryptocurrencies and rent out compromised servers to third parties. The group initiates their attacks by exploiting exposed Docker daemons to deploy Sliver malware, which serves as the initial compromise. This malware acts as a cyber worm, facilitating the spread of crypto miners and further malicious payloads.[21]

3.2 Phishing campaigns distributing targeted malware, leading to ransomware on Azure (Dagon Locker)

• Social engineering tactic are widely engaged by Scattered Spider (or Octo Tempest) gang employing “SMS phishing, SIM swapping, and account hijacking” for on-premise access.[22]

• Threat actors have been exploiting the “remote code execution (RCE) vulnerability  (reported in February 2021 as CVE-2021-21974 with a CVSS score of 8.8) that allows unauthenticated attackers to exploit a heap overflow in the OpenSLP service of ESXi.” Phishing campaigns are widely used to obtain initial access to the networks which possess the vulnerable ESXi servers.[23]

3.3 Exploiting zero-day vulnerabilities in third-party software to access Azure storage (MOVEit, Shiny Hunters)

• Threat groups have exploited Google Groups vulnerabilities related to emails from domains with DMARC policies set to quarantine or reject, causing legitimate emails to be flagged as spam or bounced. Google addressed this by rewriting the “From:” address to appear as if the message came from the mailing list. However, cyber actors now exploit this by targeting public groups that allow anyone to join, manipulating the “From:” address management.[24] This differs from the 2018 Google Group vulnerability, where speculative execution misconfigurations allowed unauthorized access to sensitive information in system memory and targeted all virtual machines hosted by the same system.[25]
• The MOVEit vulnerability, specifically CVE-2023-34362, had a significant impact on cloud environments. This vulnerability allowed attackers to exploit a SQL injection flaw in MOVEit Transfer and MOVEit Cloud, leading to unauthorized access and data breaches. Attackers, notably the Cl0p ransomware group, used this vulnerability to steal sensitive data from numerous organizations across various sectors, including finance, healthcare, and government. The breach exposed detailed information about employees, increasing the risk of phishing and social engineering attacks.[26] This is reason for the spike seen in Fig. 1.

Recommendations

Given the versatility and breadth in the TTP’s employed by the threat actors, the defensive mechanisms employed to protect the cloud must be robust. While defending against zero-days still remains arduous, establishing and adopting practices such as “least privilege roles” and “Zero Trust approach” minimizes damage and lateral movement by the threat actor. The number of instances that the lack of the following generic and fundamental recommendations have been used to exploit cloud environments is alarming –

1. Enforcing patch management on all devices in the cloud including third party contractors and helpdesk agents (tactic used by Scattered Spider)
2. Adopting and carefully choosing applications for network segmentation (strongly suggested by an anonymous source in a cloud service provider in India)
3. Mandating multi-factor authentication (exploited in cases of Change Healthcare and Live Nation cyberattacks)
4. User training:  I believe this is the most important aspect, it cuts off a widely exploited initial access technique used by threat groups.

The rapid adoption of cloud services has created numerous interconnections and data transfers, making it difficult to map and maintain visibility of all applications and dependencies. Security teams struggle to identify critical risks amid the noisy attack surface. The distributed nature of cloud environments and the complexity of managing security across multiple clouds and containers increase the attack surface. This raises questions about whether corporations should use cloud services for business-critical data and if the benefits outweigh the potential vulnerabilities and risks.

Acknowledgements

I thank the contributions of my red cell partner Kuang-Yun for her comments and Prof. Sergio for providing the resources to carry out this study. I also thank the anonymous source in a cloud service provider in India for their advice and suggestions.

References

Individual sources mentioned for most cases. But these were identifies using Resecurity, AlienVault and RecordedFuture platforms.

[1] https://www.bleepingcomputer.com/news/security/microsoft-disrupts-nation-state-hacker-op-using-azure-cloud-service/

[2] https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war

[3] https://www.techrepublic.com/article/google-cloud-security-talks-2023/

[4] https://www.darkreading.com/cyberattacks-data-breaches/russias-apt29-aws-windows-credentials

[5] https://www.gov.il/en/pages/portnoy_cyber_week_24

[6] https://www.washingtonpost.com/politics/2019/11/04/an-indian-nuclear-power-plant-suffered-cyberattack-heres-what-you-need-know/

[7] https://www.datadynamicsinc.com/quick-bytes-the-power-of-the-atom-to-fuel-the-digital-skies-of-tomorrow-nuclear-powered-cloud-computing/

[8] https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/

[9] https://otx.alienvault.com/pulse/66cdfef5bea27a7ed07baad4

[10] https://www.securityweek.com/ransomware-group-takes-credit-for-loandepot-prudential-financial-attacks/

[11] https://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor/

[12] https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/

[13] https://app.resecurity.com/incident/index?IncidentSearch[id]=232520

[14] https://app.resecurity.com/search/index?PostSearch%5Bid%5D=1396202442

[15] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a

[16] https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries#a2

[17] https://www.idx.us/knowledge-center/alteryx-data-breach-what-you-need-to-know

[18] https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications/

[19] https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-abuse-microsoft-azure-tool-for-data-theft/

[20] https://app.resecurity.com/news/index?NewsSearch[id]=4762140

[21] https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.html

[22] https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-switch-focus-to-cloud-apps-for-data-theft/

[23] https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers/

[24] https://dmarcreport.com/blog/hackers-exploiting-google-groups-address/

[25] https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

[26] https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attack

We used collect the RO outlet water in buckets, so as to reuse it for watering plants. But for quite a few days, we forgot to switch buckets and our house gets literally flooded. And image cleaning the mess😥😥!

So I decided to make this device, base on the principles of water flush tank in lavotories 🚽. It’s a simple DIY and costs nothing more than 50 INR.

The figures repesents the working of the flush tank. Once the water level starts to fall after the flush, the ball sinks. This allows the water to enter the tank through the inlet tube. As water level rises, the ball also rises, simultaneously closing the inlet valve. At the critical max height, the water inlet is fully stopped.

The ball is connected to the clip via the straw. The ball floats on the water due to its lower density, that’s why we use a plastic. I used the tack-it to attach to the clip and and the circuitory was made in such a way that the buzzer starts to buzz 📣📢 once the water level reaches the max. The aluminium foil increases the area of contact, thus minimizng the error during operation. Check out this video which explains the working.