Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
Cado Security Labs Releases H2 2023 Cloud Threat Findings Report
Cado Security announced the release of the Cado Security Labs H2 2023 Cloud Threat Findings Report, sharing deep insights into the cloud threat landscape to help security teams remain at the forefront of securing their organizations against the latest threats.

"We are very excited to deliver our half-yearly cloud threat findings report, which provides a detailed overview of significant discoveries made by the Cado Security Labs team over the last six months," said Chris Doman, CTO and Co-Founder of Cado Security. "With this report, we aim to help security professionals better understand how attackers exploit cloud-based technologies and, in turn, enable them to build a more robust internal security program."

Cado Security Labs operates honeypot infrastructure across four distinct geographical regions to collect cloud attacker telemetry. The latter half of 2023 saw the introduction of "Cloudypots," a new, more sophisticated, high-interaction honeypot system that allows researchers to honeypot accurate services quickly and safely. 

As commercial adoption of cloud technologies continues, cloud-focused malware campaigns have increased in sophistication and number - a collective effort to safeguard both large and small enterprises is critical. Security teams need to reassess their internal tools and approaches to ensure their ability to correctly identify, investigate, and respond to emerging cloud threats. 

The report provides insights into the second half of 2023, an analysis of real-world techniques employed by attackers, an overview of novel malware campaigns found in the wild targeting cloud environments, including Qubitstrike, Legion, Blackcat, Bioset, Cetus, P2Pinfect, and 9hits.

Key technical findings from attacker telemetry, which Cado Security covers in detail within the report, include:

  • Attackers target cloud services that require specialist technical knowledge to exploit. Attackers are increasingly targeting services, such as Docker, Redis, Kubernetes, and Jupyter, that require expert technical knowledge to exploit, different from what's required for attacking generic Linux servers. 
  • Docker is the most commonly exploited "cloud-native" service for initial access. Although cloud-focused attackers aim to exploit various services typically deployed in cloud environments, Docker remains the most frequently targeted for initial access, with 90.65% of honeypot traffic when discounting SSH. 
  • Threat actors leverage hosting companies across the globe for their infrastructure. Identified malware campaigns, such as P2Pinfect, had a wide geographical distribution with nodes belonging to providers in China, the US, and Germany, which shows that regardless of where your infrastructure is located, it is still susceptible to Linux and cloud-focused attacks.
  • Cryptojacking is no longer the sole focus of cloud attackers. While cryptojacking is a legitimate and significant threat, Cado Security Labs has started to see a diversification in objectives displayed by recent Linux and cloud malware campaigns. For example, with the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems. Cloud and Linux infrastructure is now subject to a broader variety of attacks. 

Other observations also include: 

  • Attackers continue to exploit web-facing services in cloud environments to help them gain access to cloud environments and invest significant time into hunting for misconfigured deployments of these services. 
  • Rust malware continues to increase as the language gains popularity in general software development and will also become increasingly popular in the malware community, with threat actors increasingly developing malicious payloads in Rust.

To ensure effective and efficient cloud incident handling, Cado Security Labs recommends that security teams establish a policy of regularly reviewing the security of deployed services in their cloud estate, reduce the attack surface by only deploying public-facing services when necessary, and use networking security features provided by their Cloud Service Provider (CSP), collect and aggregate logs from CSP's control plane and for the individual services intended to run in their accounts, and hold a periodic review and automated alerting for anomalies found in these log sources.

To download the full report, visit https://offers.cadosecurity.com/h2-2023-threat-findings-report.

Published Wednesday, February 28, 2024 7:55 AM by David Marshall
Filed under: , ,
Get This Featured White Paper: Implementing High Availability in a Linux Environment
You may also be interested in this white paper: Innovative AI Strategies Supporting Trusted Data Recovery
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Customer Connect
Global Digital
DTX
DTW-NA
innovatrix
GISEC
global-digital-cx
vExpert
Calendar
<February 2024>
SuMoTuWeThFrSa
28293031123
45678910
11121314151617
18192021222324
252627282912
3456789