diff --git a/chapters/01-introduction/security-threats-and-attacks.md b/chapters/01-introduction/security-threats-and-attacks.md index 8f9b394..8363d2b 100644 --- a/chapters/01-introduction/security-threats-and-attacks.md +++ b/chapters/01-introduction/security-threats-and-attacks.md @@ -101,7 +101,7 @@ ### Attack vectors - Attack vector = Means by which hackers deliver a payload to systems and networks -- [Cloud computing threats](./../16-cloud-computing/cloud-security.md#cloud-computing-threats) such as data breach and loss. +- [Cloud computing threats](./../16-cloud-computing/cloud-security.md#cloud-computing-risks-and-threats) such as data breach and loss. - [IoT threats](./../18-iot-and-ot/iot-security.md#iot-threats) usually caused by insecure devices and hardware constraints (battery, memory, CPU etc.) - [Ransomware](../07-malware/malware-overview.md#ransomware): Restricts access to your files and requires payment to be granted access - [Mobile threats](./../17-mobile-platforms/mobile-attacks.md#mobile-threats) diff --git a/chapters/16-cloud-computing/cloud-security.md b/chapters/16-cloud-computing/cloud-security.md index 5b5152a..eb77ff1 100644 --- a/chapters/16-cloud-computing/cloud-security.md +++ b/chapters/16-cloud-computing/cloud-security.md @@ -10,7 +10,7 @@ - Attempts to resolve computer security problems through hardware enhancements - **Roots of Trust (RoT)**: set of functions within TCM that are always trusted by the OS -## Cloud computing threats +## Cloud computing risks and threats - **Stealing information from other cloud users** - Internal threats where employees copying company data with bad intentions e.g. to trade. @@ -18,16 +18,17 @@ - Information might include e.g. credit numbers, social security numbers - **Data loss** - Deleting data stored on the cloud through viruses and malware - - ❗High impact if there are no back-ups + - ❗ High impact if there are no back-ups - **Attack on sensitive information** - Stealing information about other users e.g. financial data. -- **A hacker can utilize computer power** to e.g. - - crack passwords with many password attempts per seconds - - DDoS attacks +- Attacker utilization of cloud infrastructure e.g. + - **Using compute power** to crack passwords with many password attempts per seconds + - **DDoS** attacks using cloud computing - **Shadow IT** - IT systems or solutions that are developed to handle an issue but aren't taken through proper approval chain - **Abusing cloud services** -- **Insecure interfaces and APIs** e.g. weak authentication +- **Insecure interfaces and APIs** + - E.g. weak authentication - **Insufficient due diligence** - Moving an application without knowing the security differences - **Shared technology issues** @@ -39,18 +40,25 @@ - **Conflicts between client hardening procedures and cloud environment** - **Malicious insiders** - **Illegal access to the cloud** - - E.g. in [2020 United States federal government data breach](https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach) a compromised global administrator account has assigned credentials to cloud service principals that allowed malicious access to cloud systems. + - E.g. in US data breach in 2020 a compromised global administrator account has assigned credentials to cloud service principals that allowed malicious access to cloud systems [1] - **Virtualization level attacks** - **Privilege escalation via error** - **Service termination and failure** -- **Hardware failure**: can be mitigated by using more zones in cloud. -- **Natural disasters**: can be mitigated by using more regions in cloud. +- **Hardware failure** + - 💡 Can be mitigated by using more zones in cloud. +- **Natural disasters** + - 💡 Can be mitigated by using more regions in cloud. - **Weak authentication** - E.g. burden of managing identity both on-premises and on cloud - Allows compromise on on-premises systems to spread to cloud. - Allows adding a malicious certificate trust relationship in cloud for forging SAML tokens on-premises. -- **DDoS** attacks using cloud computing. -- **Compliance risks** e.g. laws regarding data transfer across borders +- **Compliance risks** + - E.g. laws regarding data transfer across borders +- **Cloud cryptojacking** + - 📝 Hijacking cloud resources to mine for cryptocurrency + - Often targeted on IaaS platforms through malware + +[1]: https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach "2020 United States federal government data breach" ## Cloud computing attacks @@ -62,7 +70,9 @@ - **Session hijacking** e.g. cookie stealing - **Cryptanalysis attacks** e.g. weak encryption - **DoS (Denial-of-service)** -- E.g. In [2020 United States federal government data breach](https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach), used TTP were stealing SAML tokens to attack [SSO](./../01-introduction/identity-access-management-(iam).md#single-sign-on-sso) infrastructure according to [TTP analysis from NSA](https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF). +- E.g. In 2020 United States federal government data breach [1] + +[1]: https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach "2020 United States federal government data breach" ### Wrapping attack @@ -82,9 +92,62 @@ - Attacker can then take advantage of shared resources (processor cache, keys, ...) - Can be installed by a malicious insider or an impersonated legitimate user +### Cloud Hopper attack + +- 📝 Targets managed service providers (MSPs) and their users +- 📝 Initiated by delivering malware through [spear-phishing](./../10-social-engineering/social-engineering-types.md#spear-phishing) emails +- Goal is to compromise the accounts of staff or cloud service firms to obtain confidential information +- Flow [2] + 1. Infiltrate the service provider + 2. Once inside, find system administrator who controls the company jump servers with connection to client networks + 3. Map victim network and identify sensitive data + 4. Encrypt and exfiltrate the data either through victim or the service provider +- 🤗 Named after attacks by Chinese cyber spies [2] to MSPs in countries such as UK, USA and Sweden [1] + +[1]: https://en.wikipedia.org/wiki/Red_Apollo#2014_to_2017:_Operation_Cloud_Hopper "Operation Cloud Hopper | Wikipedia" +[2]: https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/ "Inside the West's failed fight against China's 'Cloud Hopper' hackers | Reuters" + +### Cloudborne attack + +- Done by exploiting a specific BMC vulnerability +- 📝 Bare-metal / firmware level attack + - Allows injecting code/backdoors + - Affects IaaS providers that gives bare-metal access without access to the actual firmware + - Impacting businesses that use bare metal cloud offerings + - Survives client switches (customer customer re-assignments) performed by the provider + - Targets baseboard management controller (BMC) firmware + - BMC enables remote management of a server for initial provisioning, OS reinstall and troubleshooting [1] [2] +- Mitigated by IBM through factory firmware reset before re-provisioning hardware to other customers [2] +- Allows attacks such as + - permanent denial-of-service (PDoS) on bare metal server + - stealing data from application running on the server + - ransomware attacks +- Revealed by Eclypsium (Firmware protection firm) in 2019 based on IBM SoftLayer cloud services [1] + +[1]: https://eclypsium.com/2019/01/26/the-missing-security-primer-for-bare-metal-cloud-services/ "The Missing Security Primer for Bare Metal Cloud Services | eclypsium.com" +[2]: https://www.ibm.com/blogs/psirt/vulnerability-involving-ibm-cloud-baseboard-management-controller-bmc-firmware/ "Vulnerability involving IBM Cloud Baseboard Management Controller (BMC) Firmware | IBM" + +### Man-In-The-Cloud (MITC) attack + +- 📝 Done by using file synchronization services (e.g. Google Drive and Dropbox) as infrastructure + - E.g. as command and control (C&C), data exfiltration, and remote access. +- Makes it hard to + - distinguish malicious traffic from normal traffic + - discover and analyze evidence due to not leaving footprint on endpoint devices +- E.g. Switcher malware [1] + 1. Installs attackers token and moves victim's real token into *sync folder* folder to be synced + 2. Victim device is synced to attackers attacker account + 3. Attacker uses original account token and erase malicious one + 4. Removes traces of the security breach + +[1]: https://www.helpnetsecurity.com/2019/01/21/mitc-attack/ "Beware the man in the cloud: How to protect against a new breed of cyberattack | Help Net Security" + ## Cloud security tools - [CloudInspect](https://www.coresecurity.com/core-labs/open-source-tools/core-cloudinspect) - Penetration-testing as a service from Amazon Web Services for EC2 users - [CloudPassage Halo](https://www.cloudpassage.com/cloud-computing-security/) - Automates cloud computing security and compliance controls +- [privacy.sexy](https://github.com/undergroundwires/privacy.sexy) + - Open-source solution to increase privacy by reducing third party cloud-based data collection + - Can also be used to harden virtual machine images and OSes that are talking to cloud services