Executive Summary
This report examines recent publicly reported incidents involving major Cloud Service Providers (CSPs), encompassing both cyberattacks and non-cyberattack disruptions such as service outages. The analysis underscores the multifaceted threats CSPs face and the cascading impact these incidents can have on businesses. The incidents discussed highlight the critical need for robust security measures, proactive incident response, transparent communication, and business continuity planning. The report concludes by emphasizing the shared responsibility of CSPs and their customers in maintaining a secure and resilient cloud environment and offers recommendations for mitigating risks.
Introduction
Cloud computing has transformed business operations by offering scalability, flexibility, and cost-efficiency. However, this increased reliance on cloud services also expands the attack surface for cybercriminals. This analysis focuses on publicly reported incidents related to Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), recognized as leaders in cloud services according to 2022's Magic Quadrant for Cloud Infrastructure and Platform Services (Figure 1).
Figure 1. 2022's Magic Quadrant for Cloud Infrastructure and Platform Services
Recent publicly reported incidents (Figure 2) involving these major Cloud Service Providers (CSPs) have highlighted not only diverse cyber threats but also vulnerabilities from non-cyber incidents, such as the CrowdStrike-Microsoft outage that disrupted businesses globally. These disruptions underscore the critical need for robust business continuity and disaster recovery plans.
Figure 2. Summary of 2024 Cloud Service Incidents
This report examines various incidents affecting CSPs (Figure 3 and Annex B for details), their impacts, and the lessons learned. It also offers recommendations for mitigating risks and enhancing the security and resilience of cloud environments. This report provides situational awareness based on publicly reported incidents gathered from Google News using an in-house developed Python scripts leveraging the GoogleNews, langchain and langchain-google-genai libraries (Refer to the Annex A for more details on the Python scripts). It does not represent a comprehensive list of all incidents, as some may not be publicly reported.
Figure 3. 2024 Incidents
Lessons Learned
Recent cyber incidents involving CSPs have provided valuable lessons for both CSPs and their customers:
Shared Responsibility: Security in the cloud is a shared responsibility between CSPs and their customers. CSPs are responsible for securing the underlying infrastructure, while customers are responsible for securing their data and applications.
Proactive Incident Response: CSPs need to have robust incident response plans in place to quickly detect, contain, and remediate cyber incidents. Timely communication with customers is also crucial to minimize the impact of incidents.
Transparency and Communication: CSPs should be transparent with their customers about security incidents, providing timely and accurate information about the impact and remediation efforts.
Continuous Monitoring and Improvement: CSPs need to continuously monitor their environments for threats and vulnerabilities and implement improvements to their security posture.
Customer Education and Awareness: CSPs should educate their customers about security best practices and help them understand their role in maintaining a secure cloud environment.
Redundancy and Business Continuity: The reliance on cloud services necessitates robust redundancy and business continuity plans. Organizations should consider multi-cloud or hybrid cloud strategies to mitigate the impact of service outages from a single CSP. The CrowdStrike-Microsoft outage, where CrowdStrike CEO stepped in to assist affected customers, emphasizes the importance of partnerships and alternative solutions during disruptions.
Mitigations
To mitigate the risks associated with cloud services, the following are some recommended measures to consider:
Strong Authentication and Access Control: Implement multi-factor authentication (MFA) and least privilege access to minimize the risk of unauthorized access.
Encryption: Encrypt data at rest and in transit to protect it from unauthorized access.
Regular Backups: Regularly back up data to ensure that it can be recovered in the event of a cyber incident.
Security Awareness Training: Provide security awareness training to employees and contractors to help them identify and avoid threats.
Incident Response Planning: Develop and test incident response plans to ensure that organizations are prepared to respond to cyber incidents.
Third-Party Risk Management: Assess and manage the risks associated with third-party vendors and suppliers.
Cloud Security Solutions: Leverage cloud security solutions to enhance visibility, detect threats, and automate security processes.
Multi-Cloud or Hybrid Cloud Strategies: Implementing multi-cloud or hybrid cloud strategies can provide redundancy and ensure business continuity in the event of a service outage from a single CSP.
Disaster Recovery Planning: Organizations should develop and test disaster recovery plans to ensure they can quickly recover from service outages or other disruptions.
Regular Testing and Monitoring: Regularly test and monitor cloud environments to identify and address potential issues before they cause service outages.
Conclusion
The growing dependence on cloud services has made Cloud Service Providers (CSPs) a prime target for cybercriminals. Recent incidents highlight the diverse threats CSPs face and the extensive impact these can have. To mitigate these risks, CSPs and their customers must collaborate to implement robust security measures, proactive incident response plans, and transparent communication. By embracing a shared responsibility model and continuously enhancing their security posture, organizations can reap the benefits of cloud computing while minimizing associated risks.
Moreover, the report underscores that risks linked to cloud services extend beyond cyberattacks. Service outages, technical glitches, and other non-cyber incidents can also significantly affect businesses. Therefore, organizations must adopt a comprehensive risk management approach addressing both cyber and non-cyber threats. By integrating robust security measures, proactive incident response plans, and effective business continuity strategies, organizations can maximize the advantages of cloud computing while minimizing potential risks.
Annex A
The data for this report was collected and processed using two main Python scripts:
Script 1: News Article Identification and Date Extraction
Search: The script utilizes the GoogleNews library to search for public reports related to cloud service providers (CSPs), using specific keywords such as “azure cyber incident or cyber attack", "amazon web services cyber incident or cyber attack" and "Google Cloud Platform cyber incident or cyber attack"
Date Extraction: It then extracts the date associated with each search result. However, the date obtained from the search results may not always be accurate due to inconsistencies in how websites present timestamps.
URL Verification: To ensure accuracy, the script visits the URL of each public report to extract the article date directly from the web page.
Filtering: Reports that do not have an accessible article date or have dates outside the relevant time frame are filtered out.
Script 2: Article Summarization and Information Extraction
Text Retrieval: The script visits the URL of each remaining report and retrieves the article text.
Summarization: It leverages the LangChain and LangChain-Google GenAI libraries to automatically summarize the article using Google Gemini generative AI.
Manual Summarization: Articles that cannot be automatically summarized due to the structure of the webpage are manually summarized in generative AI portals like Gemini or ChatGPT.
This two-step process ensures a comprehensive and accurate dataset of publicly reported incidents related to CSPs. The resulting data is then used to analyze trends, identify vulnerabilities, and derive lessons learned for the cloud computing industry.
Annex B
a. Date and Duration: July 30, 2024, nearly 10 hours
b. Cause: Distributed Denial-of-Service (DDoS) cyberattack
c. Amplification: Error in Microsoft's DDoS protection mechanisms amplified the attack's impact
d. Affected Services:
i. Azure Front Door
ii. Azure Content Delivery Network
iii. Azure cloud services
iv. Microsoft 365 products
v. Microsoft Purview
vi. Services such as Azure App Services, Application Insights, Azure portal, and Azure IoT Central
e. Impact:
i. Service disruption for a subset of Azure customers globally
ii. Affected businesses, including critical infrastructure, banks, courts, and utilities
iii. Specific services impacted included Office, Outlook, Starbucks' mobile app, and Minecraft
f. Response and Mitigation:
i. Initial mitigations and failovers by 14:10 UTC
ii. Further actions taken around 18:00 UTC to normalize failure rates
iii. Full recovery by 19:43 UTC
iv. Preliminary Post Incident Review to be published within 72 hours, and a full report within 14 days
g. Current Status: Most services have returned to normal, with some users in New Zealand still facing issues accessing Microsoft 365 services
h. Additional Information:
i. Hacktivist group "SN_blackmeta" claimed responsibility for the attack
ii. DDoS attacks are on the rise, with a 20% year-on-year increase in Q2 2024 and a 112% increase from 2022 to 2023
iii. Microsoft has identified the source of the DDoS attack and is working on further mitigation
iv. Microsoft has apologized for the inconvenience and committed to improving cybersecurity measures
2. AWS Outage
AWS experienced a significant outage impacting services across its global network. Users reported issues accessing critical AWS services, including EC2 instances, S3 storage, and RDS databases. Amazon acknowledged the problem, stating they were investigating connectivity issues affecting multiple AWS services and working to resolve them quickly. The outage caused widespread disruptions for businesses relying on AWS for hosting, storage, and various other cloud services, including Amazon's own subsidiaries like Ring, Whole Foods, and Alexa.
a. Microsoft Azure outage caused flight groundings and disruptions for multiple airlines globally.
b. CrowdStrike CEO George Kurtz stepped in to assist affected customers.
c. The outage was caused by a faulty content update for Windows hosts, not a cyberattack.
d. CrowdStrike emphasized The importance of cybersecurity partnerships in mitigating such disruptions.
e. The incident highlighted The vulnerability of cloud-dependent systems and The need for redundancy and strong cybersecurity measures.
a. Summary:
i. Discovered by Tenable Research
ii. Impacts GCP Cloud Functions and Cloud Build services
iii. Allows attackers to escalate privileges and access other GCP services
b. Discovery and Impact:
i. Vulnerability occurs when creating or updating Cloud Functions
ii. Default Cloud Build service account with excessive permissions is attached to the Cloud Build instance
iii. Attackers can exploit this to gain access to other GCP services (e.g., Cloud Storage, Artifact Registry)
c. Technical Details:
i. Affects both first- and second-generation Cloud Functions
ii. Cloud Build service account token is extracted using malicious dependencies
iii. Example of malicious dependency in package.json file is provided
d. Response and Remediation:
i. GCP has partially remediated the issue for Cloud Build accounts created after mid-June 2024
ii. Tenable recommends replacing legacy Cloud Build service accounts with least-privilege service accounts
iii. Users should monitor and take preventive actions to secure their environments
a. Affected Azure Services:
i. Azure Application Insights
ii. Azure DevOps
iii. Azure Machine Learning
iv. Azure Logic Apps
v. Azure Container Registry
vi. Azure Load Testing
vii. Azure API Management
viii. Azure Data Factory
ix. Azure Action Group
x. Azure AI Video Indexer
xi. Azure Chaos Studio
b. Severity and Impact:
i. Classified as a Security Feature Bypass issue.
ii. High severity rating due to impact on data integrity and confidentiality
iii. Microsoft Security Response Center (MSRC) rated as Important and awarded a bounty.
c. Solution and Recommendations:
i. Microsoft created centralized documentation on usage patterns for service tags.
ii. Users should add authentication and authorization layers to defend assets.
d. Timeline of Disclosure:
i. January 24, 2024: Vulnerability disclosed to Microsoft.
ii. January 31, 2024: MSRC confirms behavior and awards bounty.
iii. February 26, 2024: MSRC updates documentation and addresses variants.
iv. June 3, 2024: Coordinated disclosure.
e. Importance:
i. Highlights the need for robust security measures and continuous monitoring.
ii. Users should implement additional authentication and authorization layers.
a. Cloud Services Targeted: Amazon AWS, Google Cloud, IBM Cloud, Blackblaze B2 Cloud
b. Technique:
i. Exploitation of static website hosting feature in cloud storage to store malicious HTML files
ii. Use of "HTML meta refresh" to redirect users to phishing sites
iii. Spam emails and SMS messages contain links to these malicious cloud-hosted pages
c. Phishing Process:
i. Scammers send SMS messages with links to seemingly legitimate cloud-hosted websites
ii. Clicking the link redirects users to phishing sites disguised as legitimate pages (e.g., bank login pages
iii. Aim to steal personal and financial information
d. Examples:
i. Google Cloud Storage: Attackers create a bucket to host a malicious HTML page using a meta refresh tag for automatic redirection
ii. Amazon AWS: SMS messages link to static websites hosted on AWS that redirect to malicious sites
iii. IBM Cloud and Blackblaze B2 Cloud: Similar techniques used for hosting phishing sites and redirecting users
e. Impact:
i. Attackers bypass firewalls and security filters because the initial link originates from trusted cloud providers
ii. Increased success rate of phishing attempts as users trust links from reputable cloud services
f. Objective: Financial fraud and data theft by stealing personal information through sophisticated phishing schemes
g. Security Recommendations:
i. Users should be cautious of links in unsolicited SMS messages or emails, even if they appear to be from trusted sources
ii. Organizations should monitor and secure cloud storage services to prevent misuse
A new variant of the AllaKore Remote Access Trojan (RAT), named AllaSenha, has been discovered targeting Brazilian bank accounts. This malware employs a multi-stage infection chain that involves phishing emails, malicious LNK files disguised as PDFs, Python scripts, and a Delphi-developed loader. It uses Azure cloud infrastructure for its command and control (C2) communication, which has been active since March 2024.
a. Google Cloud accidentally deleted a $125 billion pension fund's online account due to an incorrect setup.
b. The outage affected 620,000 members and caused concerns about cloud security.
c. CEOs of UniSuper and Google Cloud apologized for the failure.
d. The incident was caused by a misconfiguration that deleted the fund's cloud subscription.
e. Google Cloud has implemented measures to prevent similar incidents.
f. UniSuper restored services using backups from another provider.
g. The incident highlights the importance of strong security and quick response systems in cloud services.
h. UniSuper is working to fully restore services and prevent future incidents.
a. Incident Duration: Internal secrets exposed for a month
b. Contents Exposed:
i. Scripts, source code, and configuration files
ii. Passwords and credentials for accessing internal databases and systems
iii. Potential for further attacks and evasion of detection in target networks
c. Security Flaw: Server lacked adequate security and password protection
d. Discovery and Response:
i. Vulnerability discovered by SOCRadar researchers
ii. Microsoft notified on February 6, 2024
iii. Breach secured by Microsoft on March 5, 2024
e. Microsoft's Statement: Credentials were temporary, internally accessible only, and disabled after testing
f. Repercussions:
i. Could lead to further data leaks and compromised services
ii. Part of a series of security slip-ups for Microsoft
g. Criticism:
i. 2023 Exchange Intrusion report criticized Microsoft's lax security culture and risk management
ii. US Cyber Safety Review Board accused Microsoft of deprioritizing security investments
h. Related Incidents:
i. 2022 exposure of sensitive login credentials on GitHub by Microsoft employees
ii. Chinese-backed hack stealing an internal email signing key, accessing inboxes of senior U.S. officials
iii. Ongoing cyberattack by Russian state-backed hackers stealing source code and internal emails
a. Target: Aerospace, Aviation, and Defense industries in Israel, UAE, Turkey, India, and Albania.
b. Attacker: UNC1549 (linked to Iran-Nexus)
c. Methods:
i. Social Engineering: Fake job offers via email and social media.
ii. Cloud Infrastructure Abuse: Microsoft Azure for command and control (C2).
iii. Backdoors: MINIBIKE and MINIBUS (deployed since at least 2022).
iv. Tunneling: LIGHTRAIL (based on Lastenzug Sock4a proxy).
d. MINIBIKE Malware:
i. Custom C++ backdoor for exfiltration, command execution, upload, and C2 communication.
ii. Installed with launcher and disguised as legitimate executable.
e. MINIBUS Malware:
i. More flexible code execution and information gathering than MINIBIKE.
ii. Features: code execution interface, process enumeration, DLL export, C2 communication, lure themes.
f. Indicators of Compromise (IOCs): Provided in the article for MINIBIKE, MINIBUS, LIGHTRAIL, Fake Job Offers, and C2 & Hosting Infrastructure.
g. Additional Notes:
i. Attackers used domain names resembling legitimate sites to evade detection.
ii. This campaign highlights the challenges of defending against cloud-based C2 infrastructure.
a. Scope: Hundreds of accounts affected, including senior executives (VPs, CFOs, CEOs).
b. Discovery: Breach found by Proofpoint researchers.
c. Method of Attack:
i. Techniques: Credential phishing and cloud account takeover.
ii. Phishing: Personalized links to malicious phishing webpages.
iii. MFA Disruption: Possible interference with multifactor authentication.
iv. Obfuscation: Use of mailbox rules to hide activities.
d. Targets and Impact:
i. Victims: Senior executives and various employees.
ii. Access: Compromised accounts provided access to multiple levels of data and resources.
iii. Financial Motive: Objectives included data theft and financial fraud.
e. Attack Origin:
i. Suspected Locations: Russia and Nigeria based on infrastructure and previous attack parallels.
f. Criticism and Recommendations:
i. Microsoft Criticism: Poor security practices leading to multiple breaches.
ii. Recommendations: Identify account takeovers, monitor suspicious activities, enforce credential changes.
g. Regulatory Response:
i. US Government: Mandatory disclosure of significant data breaches.
12. Hackers Abusing Google Cloud Run to Deliver Banking Malware
a. Incident: Large-scale malware distribution campaigns abusing Google Cloud Run
b. Target: European and Latin American users
c. Malware Types: Banking trojans such as Astaroth (Guildma), Mekotio, and Qusaban
d. Technique:
i. Hackers use Google Cloud Run to host malicious webpages and files
ii. Emails with malicious links are sent, masquerading as invoices or government documents
iii. Victims clicking on links are redirected to malware hosted on Google Cloud Run
iv. Malware often delivered as malicious Microsoft Installer (MSI) files
e. Language Focus: Majority of emails in Spanish, targeting LATAM; some Italian-language emails
f. Observed Trends: Increase in related emails post-September 2023
g. Examples of Email Posing: Argentina’s Administración Federal de Ingresos Públicos (AFIP) as the sender
h. Malware Delivery:
i. Google Cloud Run service sometimes redirects to Google Cloud file location
ii. Malware often delivered in ZIP archives containing MSI files
i. Malware Capabilities:
i. Astaroth: Anti-analysis/evasion, logs keystrokes, takes screenshots
ii. Mekotio: Extracts confidential financial data
iii. Qusaban: Steals sensitive data from financial institutions
j. Research Insights: Potential cooperation between threat actors, using same storage bucket for malware distribution
k. Recommendations: Implement robust malware protection to block Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits
a. Russian hackers (Nobelium) targeted Microsoft's corporate systems.
b. Attackers gained access through a password spray attack on a non-production test tenant account without two-factor authentication.
c. Hackers compromised a legacy test OAuth application with elevated access.
d. OAuth applications were used to authenticate to Microsoft Exchange Online and target corporate email accounts.
e. Microsoft discovered the attack on January 12th, 2024, after it began in late November 2023.
f. Hewlett Packard Enterprise (HPE) reported a similar attack from the same group.
g. Microsoft admitted to a lack of two-factor authentication on a key test account, raising concerns in the cybersecurity community.
h. Microsoft claims that current mandatory policies and workflows would prevent such attacks in the future.
Comments