Adaptation to Cloud Services. Chameleons of the Cyber World

The ‎adaptation‏ ‎of ‎attacks ‎to ‎target ‎cloud‏ ‎services ‎marks‏ ‎a‏ ‎significant ‎evolution ‎in‏ ‎the ‎landscape‏ ‎of ‎cyber ‎espionage ‎and‏ ‎cyber‏ ‎warfare. ‎This‏ ‎shift ‎is‏ ‎not ‎merely ‎a ‎change ‎in‏ ‎target‏ ‎but ‎represents‏ ‎a ‎deeper‏ ‎strategic ‎adaptation ‎to ‎the ‎changing‏ ‎technological‏ ‎environment‏ ‎and ‎the‏ ‎increasing ‎reliance‏ ‎of ‎governments‏ ‎and‏ ‎corporations ‎on‏ ‎cloud ‎infrastructure. ‎The ‎move ‎towards‏ ‎cloud ‎services‏ ‎by‏ ‎organizations ‎is ‎driven‏ ‎by ‎the‏ ‎benefits ‎of ‎scalability, ‎cost-efficiency,‏ ‎and‏ ‎the ‎ability‏ ‎to ‎rapidly‏ ‎deploy ‎and ‎update ‎services. ‎However,‏ ‎this‏ ‎transition ‎also‏ ‎presents ‎new‏ ‎vulnerabilities ‎and ‎challenges ‎for ‎cybersecurity.

Strategic‏ ‎Shift‏ ‎to‏ ‎Cloud

As ‎organizations‏ ‎have ‎modernized‏ ‎their ‎systems‏ ‎and‏ ‎migrated ‎to‏ ‎cloud-based ‎infrastructure, ‎actors ‎have ‎adapted‏ ‎their ‎tactics,‏ ‎techniques,‏ ‎and ‎procedures ‎(TTPs)‏ ‎to ‎this‏ ‎new ‎environment. ‎This ‎adaptation‏ ‎is‏ ‎driven ‎by‏ ‎the ‎realization‏ ‎that ‎cloud ‎services, ‎by ‎centralizing‏ ‎vast‏ ‎amounts ‎of‏ ‎data ‎and‏ ‎resources, ‎present ‎a ‎lucrative ‎target‏ ‎for‏ ‎espionage‏ ‎and ‎intelligence‏ ‎gathering. ‎The‏ ‎cloud's ‎architecture,‏ ‎while‏ ‎offering ‎numerous‏ ‎advantages ‎to ‎organizations, ‎also ‎necessitates‏ ‎a ‎reevaluation‏ ‎of‏ ‎security ‎strategies ‎to‏ ‎address ‎unique‏ ‎vulnerabilities.

Tactics, ‎Techniques, ‎and ‎Procedures‏ ‎(TTPs)

The‏ ‎adaptation ‎of‏ ‎actors ‎to‏ ‎cloud ‎services ‎involves ‎a ‎range‏ ‎of‏ ‎sophisticated ‎TTPs‏ ‎designed ‎to‏ ‎exploit ‎the ‎specific ‎characteristics ‎of‏ ‎cloud‏ ‎environments.‏ ‎One ‎of‏ ‎the ‎primary‏ ‎methods ‎of‏ ‎gaining‏ ‎initial ‎access‏ ‎to ‎cloud-hosted ‎networks ‎involves ‎authenticating‏ ‎to ‎the‏ ‎cloud‏ ‎provider. ‎This ‎can‏ ‎be ‎achieved‏ ‎through ‎various ‎means, ‎including‏ ‎brute‏ ‎forcing ‎and‏ ‎password ‎spraying‏ ‎to ‎access ‎services ‎and ‎dormant‏ ‎accounts.‏ ‎These ‎accounts,‏ ‎often ‎used‏ ‎to ‎run ‎and ‎manage ‎applications‏ ‎without‏ ‎direct‏ ‎human ‎oversight,‏ ‎are ‎particularly‏ ‎vulnerable ‎as‏ ‎they‏ ‎may ‎not‏ ‎be ‎protected ‎by ‎multi-factor ‎authentication‏ ‎(MFA) ‎and‏ ‎may‏ ‎possess ‎high ‎levels‏ ‎of ‎privilege.

Furthermore,‏ ‎actors ‎have ‎been ‎observed‏ ‎using‏ ‎system-issued ‎tokens‏ ‎for ‎authentication,‏ ‎bypassing ‎the ‎need ‎for ‎passwords.‏ ‎They‏ ‎have ‎also‏ ‎exploited ‎the‏ ‎process ‎of ‎enrolling ‎new ‎devices‏ ‎to‏ ‎the‏ ‎cloud, ‎bypassing‏ ‎MFA ‎through‏ ‎techniques ‎such‏ ‎as‏ ‎"MFA ‎bombing"‏ ‎or ‎"MFA ‎fatigue." ‎Additionally, ‎the‏ ‎use ‎of‏ ‎residential‏ ‎proxies ‎to ‎obscure‏ ‎their ‎internet‏ ‎presence ‎and ‎make ‎malicious‏ ‎activity‏ ‎harder ‎to‏ ‎detect ‎represents‏ ‎another ‎layer ‎of ‎sophistication ‎in‏ ‎their‏ ‎operations.

Implications ‎and‏ ‎Mitigations

The ‎adaptation‏ ‎of ‎actors ‎to ‎target ‎cloud‏ ‎services‏ ‎has‏ ‎significant ‎implications‏ ‎for ‎cybersecurity.‏ ‎It ‎underscores‏ ‎the‏ ‎need ‎for‏ ‎organizations ‎to ‎implement ‎robust ‎security‏ ‎measures ‎tailored‏ ‎to‏ ‎the ‎cloud ‎environment.‏ ‎This ‎includes‏ ‎enforcing ‎strong ‎password ‎policies,‏ ‎implementing‏ ‎MFA, ‎managing‏ ‎and ‎monitoring‏ ‎service ‎and ‎dormant ‎accounts, ‎and‏ ‎configuring‏ ‎device ‎enrollment‏ ‎policies ‎to‏ ‎prevent ‎unauthorized ‎access. ‎Additionally, ‎adjusting‏ ‎the‏ ‎validity‏ ‎time ‎of‏ ‎system-issued ‎tokens‏ ‎and ‎employing‏ ‎network-level‏ ‎defenses ‎to‏ ‎detect ‎and ‎mitigate ‎the ‎use‏ ‎of ‎residential‏ ‎proxies‏ ‎are ‎critical ‎steps‏ ‎in ‎defending‏ ‎against ‎these ‎threats.