What Lessons the Major Cloud Cyberattacks Can Teach Us

Several high-profile cloud cyberattacks occurred between 2020 and 2022 resulting from basic technical flaws that may have been avoided with faster detection and response. A solution architect from a cloud security company discovered that cloud cyberattacks are becoming more advanced, especially in the number of attacks and threat operators using automated tools, implying that defenders must speed up their detection and response capabilities to thwart them. Among the incidents, the researchers discovered several telling trends. Among these, threat operators are developing tools that automate the scanning, discovery, and exploitation of the attack’s target, and they gain access to systems using leaked credentials and common vulnerabilities. The researchers chose attacks from several industries to evaluate various cloud cyberattacks:

• PyTorch – A threat operator utilized the PyPl code repository in December 2022 to download a compromised PyTorch dependency, including malicious code aiming to steal system data. The threat operator appeared to be an ethical cybercriminal testing the system and was only discovered when they attempted to disguise the malware and steal sensitive data.
• MediBank – Threat operators acquired access to internal systems in November 2022 by using compromised login credentials, a method that may have involved VPN access. After a month of lurking on systems, the threat operators revealed to the bank what they had stolen. However, when the bank declined to pay the ransom, the threat operator released the information on the dark web.
• Alibaba – Shanghai Police – A misconfigured Alibaba cloud server was left open on the internet for over a year without a password in July 2022, resulting in the theft of 23TB of data and its sale on a forum called Breach Forums. The 23TB file contained personal information on a billion Chinese residents that had been held in the Shanghai National Police database.
• ONUS – In December 2021, threat operators used a vulnerable Log4j version on Vietnam’s largest crypto trading company. Around two million client records were stolen, including full names, E-KYC data, email addresses, phone numbers, encrypted passwords, and transaction histories.
• Peloton – Researchers discovered in May 2021 that an unauthenticated user may read sensitive information for all users, observe live class statistics, and probe other class participants, even if users’ accounts were set to private mode. The threat operator might see users’ IDs, group memberships, locations, workout stats, and users’ gender and age, due to the vulnerability.
• Equinix – The data center provider was hit by a ransomware attack in September 2020, affecting some of the company’s internal systems. Threat operators demanded a $4.5 million ransom from Equinix, claiming they could download important data from the company’s servers. They threatened to release the data if the ransom wasn’t paid. A nearly two-month investigation revealed that no critical information about customer operations or customer information was compromised, and the incident had no impact on data centers.

The goal of the investigation into these attacks was to identify the true failure points and areas for improvement. By concentrating on the technical details of the incidents and their long-term effects, these lessons can aid organizations in critically evaluating their cloud environments and security controls and procedures. According to researchers, learning from the attack and response patterns in these incidents can help improve cloud security and counteract cyber threats. One problem is that security teams frequently must choose between focusing on detection and response, which calls for numerous levels of security solutions, and prevention, which involves strengthening defenses. A benchmark for detection and response is required, particularly since threat operators might utilize automated technologies to further their attack efforts and because defenders must move more quickly to protect a larger surface area. A 5/5/5 benchmark was proposed, which should take companies five seconds to detect, five minutes to triage, and five minutes to respond to threats. The 5/5/5 benchmark was proposed because, in the cloud, everything happens so quickly that companies need everything to happen quickly, including detection, triage, and response time.

Learning from past cyberattacks on cloud service providers can help prevent the same mistakes that can lead to serious consequences. Additionally, companies need to remain vigilant of the current threat landscape and regularly update network infrastructures. At SpearTip, we offer a layered security system designed to protect our client’s critical assets, including those of their clients. With real-time monitoring and alerting capabilities, our service helps safeguard against cyberattacks and data theft. We enhance companies’ security maturity with Cloud application protection supported by our team of experienced professionals in our 24/7/365 Security Operations Center. The protection offered safeguards various applications, including Microsoft 365, Google Workspace, Salesforce, email tenants, and more, minimizing disruption so companies can focus on running their business and supporting their clients’ operations. Companies can enhance their cybersecurity posture and that of their clients with cloud application protection offering high-level insights with a unified monitoring and alerting system. Our services allow you to baseline security and track it over time.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.