- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Type of Threat or Opportunity >
- Trend snippet: Cloud services increasingly under attack in 2021
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Cloud services increasingly under attack in 2021
Naturally, organizations are becoming increasingly dependent on cloud vendors to securely manage their databases, proprietary code, and organizational resources. These organizations are now gradually filling in the platform and role management knowledge gaps formed during the rapid shift to cloud- based environments during 2020, leading to better security and more comprehensive administration. IAM (Identity and Access Management) Role Assumption attacks, aimed at elevating privileges after obtaining unauthorized access, however, continue to be a significant concern.
As usual, threat actors continue to race against the security research community, looking for new vulnerabilities and exploits. Since late 2021, we have witnessed a wave of attacks leveraging flaws in the services of industry-leading cloud service providers to gain control over an organization’s cloud infrastructure, or, potentially, the organization’s entire database which stores proprietary, customer and financial information. The flaws under discussion are not trust logic flaws – permission-based flaws that derive from the organization’s role policy that are used by threat actors to gradually escalate privileges within the environment. Instead, we’re dealing with critical vulnerabilities in the cloud infrastructure itself, which can allow full takeover of accounts or arbitrary code execution.
The trend is led by the infamous OMIGOD flaw attacks. In September, researchers found four critical vulnerabilities in OMI (Open Management Infrastructure), one of Microsoft Azure’s software agents that allows users to manage configurations across remote and local environments. OMI is deployed on Azure Linux VMs embedded into multiple Azure services and is deployed automatically when some services are enabled – which makes these flaws highly likely to be exploited. An estimated 65% of all Azure customers are vulnerable, which translates to thousands of organizations and millions of end-point devices. OMIGOD flaws are easy to exploit, as only a single request with the authentication header removed, is needed.
Together, the vulnerabilities could enable actors to execute remote arbitrary code within a vulnerable network and escalate to root privileges. Microsoft already issued a patch to address the flaws as part of their September 2021 release. However, some researchers warned that the company’s automatic fix was ineffective for several days, until it was repaired. Attacks leveraging these flaws, in particular the 9.8-rated RCE flaw, assigned CVE-2021-38647, have already been observed as of the time of exposure and have increased rapidly ever since. Servers scanning for vulnerable devices spiked from around 10 to more than 100 during the first weekend alone. The notorious Mirai IoT (Internet-of-Things) botnet was one of the first to target vulnerable devices, and the malware attempted to close port 5896 (the OMI SSL port) to keep other actors from taking advantage
of the attack. Attacks aiming to deploy crypto miners onto unpatched Linux devices were also observed.
To conclude, in 2021 cloud provider vulnerabilities became much more alarming than they were previously. The vulnerabilities exposed throughout the year have allowed attackers, for variable length timeframes, to execute arbitrary code, escalate to root privileges, access mass amounts of private content and even cross between different environments. In short, vulnerabilities in the cloud infrastructure itself have been exposed, that even the most vigilant and professional cloud consumer could not have foreseen or prevented.