Top 10 cloud attack threads and vectors in 2022

In cybersecurity, attack threads means method used by an attacker to access a victim’s machine.

An attack vector is a method of achieving unauthorized network access to launch a cyber attack. Method used by an attacker to gain access to a victim’s machine in order to infect it with malware.

Let’s look at the most common OWASP TOP 10 attack threads and vectors on cloud infrastructure nowadays.

See also my The most common attack vectors in 2022 for more details about how t predict, remove and mitigate the threads.

Cloud attack threads

• Insecure Application Programming Interface (API)
  • An API must only be used over an encrypted channel (HTTPS)
  • Implement throttling/rate-limiting mechanisms to protect from a DoS
  • Data received by an API must pass service-side validation routines

• Improper Key Management
  • APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data
  • Do not hardcode or embed a key into the source code
  • Do not create one key with full control to access an application’s functions
  • Delete unnecessary keys and regenerate keys when moving into a production environment

• Insufficient Logging and Monitoring
  • Software as a service may not supply access to log files or monitoring tools
  • Logs must be copied to non-elastic storage for long-term retention

• Unprotected Storage
  • Cloud storage containers are referred to as buckets or blobs

• Improper IAM and privilege escalation
  • Principle of least privilege
  • Multi-Factor Authentication (MFA)

Cloud attack vectors

• Security misconfigurations
  • Wrong data permission model and public data stores
  • Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services
  • Unnecessary features are enabled or installed
  • Default accounts and their passwords are still enabled and unchanged.
  • Error handling reveals stack traces or other overly informative error messages to users.
  • For upgraded systems, the latest security features are disabled or not configured securely.
  • The security settings in the application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values.
  • The server does not send security headers or directives, or they are not set to secure values.
• Brute force attack
  • Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
  • Permits default, weak, or well-known passwords, such as “Password1” or “admin/admin“.
  • Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers”, which cannot be made safe.
  • Uses plain text, encrypted, or weakly hashed passwords

• Phishing attack the users of the cloud service
  • Email phishing. Usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password
  • VISHING is the telephone equivalent of phishing. It is described as the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft
  • A method to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes.
  • SMISHING When someone tries to trick you into giving them your private information via a text or SMS message
  • SPEAR PHISHING The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information
• Orchestration attacks.
  • Injection flaws (app layer, cloud events, cloud services)
  • Insecure cloud, container or orchestration configuration
  • CI/CD pipeline & software supply chain flaws
  • Inadequate ‘compute’ resource quota limits
• Denial of service
  • DDoS attack on cloud auto-scaling mechanisms. Uncontrolled autoscaling improperly configured  scaling resources. Defining denial of wallet attacks. Invocation of serverless functions, resulting in financial exhaustion of the victim in the form of inflated usage bills TCP/UDP flooding
  • Application Layer: Application Layer Deny of Service occurs when there is too much traffic at the application level
  • Network-centric or volume-based attacks. These overload a target network by consuming available resources with large volumes of traffic

Prevention mechanisms

This is very important to know how the attack works to be able to prevent spreading across whole infrastructure.

Here are the basic methods and mechanisms to do so:

• Cloud Security as a Service (SECaaS). SECaaS  provides the organization with various types of security services without the need to maintain a cybersecurity staff
• Anti-malware solutions were one of the first SECaaS products
• Cloud-based vulnerability scans can better provide the attacker’s perspective o Your vulnerability data may be stored on the cloud provider’s server
• Sandboxing. Utilizes separate virtual networks to allow security professionals to test suspicious or malicious files
• Data Loss Prevention (DLP)
• Continuous Monitoring
• Access Control
• Identity Management
• Business Continuity
• Disaster Recovery

Remember, you data is a greatest asset,

be en ethical,

save your privacy!